Certificate URL health check
CertMgr supports validation of a TLS certificate on target URL endpoints specified in the TLS Credentials document. This validation checks for certification expiration and notifies the administrator if the certificate has expired.
The standard certificate health check already provides warning functionality for expiring certificates. This functionality complements the certificate check in certstore.nsf.
Especially in the case of exported wildcard certificates (for example, for SafeLinx, Sametime, and Nomad Web), verifying the health of the certificate provides an easy way for administrators to manage the certificates in their Domino ecosystem.
The remote endpoint connections are established by TLS to check the expiration of the actual certificate configured on the endpoint, specified by the specified URL.
Supported URL syntax
The basic syntax is the URL syntax with or without the https:// syntax, for instance https://www.example.com
The https:// prefix can be omitted and TLS is assumed. Ports can be appended to the FQDN (icap.acme.com:11344).
Protocols supported
The functionality is not limited to HTTPS. Protocols such as LDAP, POP3, IMAP, ICAP are also supported.
No protocol-specific information is checked. The underlying LibCurl code checks only the TLS/SSL connection to the remote host.
Protocols upgrading network sessions to TLS, for example STARTTLS, are not supported.
Configuring the certificate URL health check
To configure, specify one or more entries in Health check URLs in a TLS Credentials document in certstore.nsf. Then select Enabled from Health check options.
By default trusted roots to validate the remote peer are read from certstore.nsf (Trusted roots view). To use trusted roots from Domino directory instead, select Use trusted roots from Domino Directory from Health check options.
URL health check interval
The certificate health check for URLs is performed once every 24 hours. If a manual
check is required, run tell certmgr check on the CertMgr server to
trigger a manual health check for certificates and certificate URLs.
CertMgr stores the last check in the notes.ini CERTMGR_CHECKURL_LASTCHECKTIME, which is loaded on restart.
URL health check statistics
The following CertMgr statistics are available to report certificate URL health.
| Statistic | Description |
|---|---|
| CertMgr.HealthCheckURL.CheckTime.Last | The last time that a certificate URL health check was performed. |
| CertMgr.HealthCheckURL.CheckTime.Next | The next scheduled run of the certificate URL health check. |
| CertMgr.HealthCheckURL.IntervalHours | The certificate URL health check interval in hours. |
| CertMgr.HealthCheckURL.Status.Green | Number of certificate URL health checks reported as healthy with no issues. |
| CertMgr.HealthCheckURL.Status.Yellow | Number of certificate URL health checks that reported warnings (usually certificate expiring soon). |
| CertMgr.HealthCheckURL.Status.Red | Number of certificate URL health checks that reported fatal errors (usually certificate expired or fatal connection error). |
Configuring email notification
In certstore.nsf global configuration, specify a single recipient address in the Health Check notification email field to receive an email notification in case of warning or error.
No email will be sent if no warning or error occurs. The email notification is a summary of all TLS credentials with a health check URL and contains only information about certificates with warning or errors.