Setting up the Domino credential and certificate stores

The Domino server that runs the Exchange Connector (ExConn) task must contain a credential store, as well as a certificate store configured properly for free time lookups in Microsoft 365.

Procedure

  1. If you don't have a credential store on the server that runs ExConn, create one according to the procedure that applies to your environment in Using a credential store to store credentials.
  2. If you don't have a certificate store on that server, create one as follows:
    1. Create a certificate store on the server using the load certmgr console command. This starts the Certificate Manager task, which will create the certstore.nsf database.
    2. Open certstore.nsf.
    3. In the navigation pane, click Certificate Authorities in the list of configurations. Then click Add Account to add a new certificate authority.
    4. On the Basics tab of the Certificate Authority document, do NOT enable the certificate authority - simply configure it by giving it any name and selecting MicroCA in the Type field.
      Note: CertMgr will automatically enable the authority after it creates the private key and certificate.
    5. Click Save & Close.
  3. Obtain two Digicert Global Root certificates from Microsoft and add them in certstore.nsf. You can import these certificates in one of the following ways:
    • (Recommended) If you have administrative access to the console on the CertMgr server, you can use the CertMgr console command to import Digicert Global Root CA and Digicert Global Root G2 (which exist in the Domino directory) into certstore.nsf as follows:
      1. Run the following commands:
        load certmgr -ImportRootFromUrl https://login.microsoft.com
        load certmgr -ImportRootFromUrl https://graph.microsoft.com

        CertMgr adds the trusted root documents in certstore.nsf,

      2. Skip to step 4c.
    • Alternatively, you can manually copy the pem encoded certificates for the trusted roots and paste them into certstore.nsf on the CertMgr server as follows:
      1. Locate "Digicert Global Root CA" and "Digicert Global Root G2" in the cacert.pem file in the Domino data directory.
      2. Copy and paste the trusted roots to certstore.nsf as follows:
        1. In the navigation pane of certstore.nsf, click Trusted Roots and then click Add Trusted Root.
        2. From step 3, copy the first certificate from the BEGIN CERTIFICATE line to the END CERTIFICATE line, and then click Paste Certificate.

          Trusted Root form

        3. Click Submit.
        4. Repeat for the second certificate.
  4. Add TLS credentials as follows:
    1. In the navigation pane, click By HostName in the list of TLS credentials, and then click Add TLS Credentials.
    2. On the Main tab, fill in the following fields as shown:

      TLS Credentials form

      • For Host names enter the DNS name or names.
      • For Servers with access enter the DNS name or names.
      • For Certificate provider enter MicroCA.
      • For Certificate authority enter the certificate authority added in step 2.
      • For Keyring file enter the server's keyring file, for example keyfile.kyr or ServerName_keyfile.kyr.
    3. On the Security/Keys tab in the Trusted Roots section, enter the names of the DigiCert Global Root certificates using the second (alternative) approach in step 3.
      Note: If you used the CertMgr console commands to add the certificates, you can just select the certificates and mark them as validated/trusted.
    4. Click Submit Request.
  5. Restart the Domino server.

What to do next

Do the steps in Adding an application in Microsoft Azure AD