CertMgr command line parameters
The load certmgr command can be run with the following parameters.
| Parameter | Description |
|---|---|
| -d | Enables Debug logging to IBM_TECHNICAL_SUPPORT/certmgr_debug_[..].log}) |
| -e <file> | Specifies a separate, trusted CA cert file for Curl (default: data-dir: cacerts.pem) |
| -g | Avoids checking the challenge before authorization if the server can't reach itself. If outside and inside connections are handled differently, allows the certificate request to complete when Let's Encrypt® can reach the server but the server can't reach itself. |
| -i <interval in seconds> | Configures the interval to wait between processing
requests. notes.ini equivalent: CertMgr_Interval |
| -l | Logs curl requests to (IBM_TECHNICAL_SUPPORT/certmgr_curl__[..].log}) |
| -1 | Runs CertMgr once and then terminates. Can be useful for testing. |
| -o | Starts HTTP when using -c and HTTP is not running. Note: To start HTTP automatically, you must
still configure the ServerTasks notes.ini setting or a Program
document. notes.ini equivalent: CertMgr_AutoConfigHttp |
| -r | Requests a certificate for the current server. notes.ini equivalent: CertMgr_AutoRequestCert |
| -u | Allows untrusted TLS certificates. Can be useful for testing. |
| -U | Don't verify TLS hosts. Can be useful for testing. |
| -v | Enables Verbose logging. |
| -z | Gets directory URLs only and terminates. Can be useful for testing. |
| -ACCEPT_TOU | Accepts the Let's Encrypt® terms and
services. Used with -r. notes.ini equivalent: CertMgr_ACCEPT_TOU |
| -importkyr key.kyr | all | Migrates a specific keyring file or all keyring files currently
configured for a Domino server in a Server document or Web site
document into a TLS Credentials document. The existing keyring files
remain on disk. The files must have the .kyr extension. The command can be run from any Domino 12 or later server with a certstore.nsf replica. |
| -importpem file.pem | Imports a .pem file with a certificate chain and a private key into a new TLS Credentials document. Certificates in the chain do not need to be specified in a specific order. The .pem file is deleted upon a successful import. |
| -MIGRATETOSERVER servername | Migrates the CertMgr process to a specified new server by using
the new server to re-encyrpt all private keys in certstore.nsf. The
new server must be a valid Domino server in the Domino domain with a
replica of certstore.nsf. Run the command on the current CertMgr
server. Before running the command, ensure all CertMgr processes
are complete and then issue |
| -showcerts | Shows information about the currently loaded TLS credentials in certstore.nsf. To show this information on a server that runs CertMgr, you can also use use tell certmgr show certs. |
| -showocsp | Uses Online Certificate Status Protocol (OCSP) to show the
revocation state of TLS credentials in certstore.nsf To show this
information on a server that runs CertMgr, you can also use
tell certmgr show ocsp.
Requires OCSP to be enabled. If not enabled, the following error is shown: CertMgr: OCSP is disabled on this server. Set a OCSP responder URL via notes.ini 'OCSP_RESPONDER'). |
| Parameter | Description |
|---|---|
| ImportRootFromUrl URL | Imports trusted root from specified URL to CertStore (for example, https://mycompany.com). |
| ImportRootFromDominoDir | Imports trusted root from the Domino Directory. |
| ImportRootFromFile file | Imports a file containing a single PEM-encoded certificate trusted root to CertStore. |