CertMgr command line parameters
The load certmgr
command can be run with the following parameters.
Parameter | Description |
---|---|
-d | Enables Debug logging to IBM_TECHNICAL_SUPPORT/certmgr_debug_[..].log}) |
-e <file> | Specifies a separate, trusted CA cert file for Curl (default: data-dir: cacerts.pem) |
-g | Avoids checking the challenge before authorization if the server can't reach itself. If outside and inside connections are handled differently, allows the certificate request to complete when Let's Encrypt® can reach the server but the server can't reach itself. |
-i <interval in seconds> | Configures the interval to wait between processing
requests. notes.ini equivalent: CertMgr_Interval |
-l | Logs curl requests to (IBM_TECHNICAL_SUPPORT/certmgr_curl__[..].log}) |
-1 | Runs CertMgr once and then terminates. Can be useful for testing. |
-o | Starts HTTP when using -c and HTTP is not running. Note: To start HTTP automatically, you must
still configure the ServerTasks notes.ini setting or a Program
document. notes.ini equivalent: CertMgr_AutoConfigHttp |
-r | Requests a certificate for the current server. notes.ini equivalent: CertMgr_AutoRequestCert |
-u | Allows untrusted TLS certificates. Can be useful for testing. |
-U | Don't verify TLS hosts. Can be useful for testing. |
-v | Enables Verbose logging. |
-z | Gets directory URLs only and terminates. Can be useful for testing. |
-ACCEPT_TOU | Accepts the Let's Encrypt® terms and
services. Used with -r. notes.ini equivalent: CertMgr_ACCEPT_TOU |
-importkyr key.kyr | all | Migrates a specific keyring file or all keyring files currently
configured for a Domino server in a Server document or Web site
document into a TLS Credentials document. The existing keyring files
remain on disk. The files must have the .kyr extension. The command can be run from any Domino 12 or later server with a certstore.nsf replica. |
-importpem file.pem | Imports a .pem file with a certificate chain and a private key into a new TLS Credentials document. Certificates in the chain do not need to be specified in a specific order. The .pem file is deleted upon a successful import. |
-MIGRATETOSERVER servername | Migrates the CertMgr process to a specified new server by using
the new server to re-encyrpt all private keys in certstore.nsf. The
new server must be a valid Domino server in the Domino domain with a
replica of certstore.nsf. Run the command on the current CertMgr
server. Before running the command, ensure all CertMgr processes
are complete and then issue |
-showcerts | Shows information about the currently loaded TLS credentials in certstore.nsf. To show this information on a server that runs CertMgr, you can also use use tell certmgr show certs. |
-showocsp | Uses Online Certificate Status Protocol (OCSP) to show the
revocation state of TLS credentials in certstore.nsf To show this
information on a server that runs CertMgr, you can also use
tell certmgr show ocsp.
Requires OCSP to be enabled. If not enabled, the following error is shown: CertMgr: OCSP is disabled on this server. Set a OCSP responder URL via notes.ini 'OCSP_RESPONDER'). |