Configure certificates

Caution

The Domino server task communicates with the REST API through the KeepManagementURL. It has a default value of http://localhost:8889. You can overwrite this setting in the notes.ini by editing, or creating if missing, the entry KeepManagementURL (case sensitive). Having configured a TLS certificate, you need to make sure the entry starts with https:// and uses the host name your TLS certificate has been issued for. localhost, 127.0.0.1 or ::1 won't work. Configuring TLS doesn't change the port. So when you host, your TLS certificate is issued for, is domino.demo.com and your old entry was missing or is the default of http://localhost:8880, then your new value needs to be: https://domino.demo.com:8889. For more information, see Domino REST API task and ports.

About this task

The procedures guide you on obtaining and configuring certificates.

Domino REST API uses certificates for:

• signing JWT Tokens when you use Domino REST API's login API - 0..1 certificate
• validating JWT Tokens issued by trusted Identity Providers (IdP) - 0..n certificates
• Securing HTTPs traffic - 0..1 certificate

Obtain certificates

For HTTPS traffic, JKS, PEM, and PFX certificate formats are supported. For public and private key pairs, RSA and EC are supported. HTTPS certificates must be accepted by your browser and HTTP tool, so get valid certificates.

To get valid certificates, use any of the following approaches:

• Use Let's Encrypt with either Domino cert manager or a proxy, such as nginx.

• Ask your infrastructure, security or networking team (if you have one) for valid certificates.

• On your own risk: Create your own certificates using OpenSSL.

Note

If you decided to create your own certificates, you need to distribute the custom root CA to your users which isn't something you want to do unless you have tooling like Bigfix in place. Better stick to official certs

• For public/private key generation (used for JWT), use the Domino REST API management API/UI and let it generate a public/private key file pair and a certificate.

Configure a certificate for issuing a JWT

• Add the following JSON to a file in keepconfig.d. The extension must be .json.

{
  "JwtUsePubPrivKey": true,
  "JwtUsePemFile": true,
  "JwtIssuer": "The issuer",
  "JwtPrivateKeyFile": "keepconfig.d/private.key.pem",
  "JwtPublicKeyFile": "keepconfig.d/public.key.pem",
  "JwtCertFile": "keepconfig.d/cert.pem",
  "JwtAlgorithm": "RSA"
}

Info

The JSON file is automatically created when you use the Domino REST API management API (Port 8889) to create the files.

Configure certificates for JWT validation

Note

PEM-formatted keys (RSA/EC) are supported.

1. Obtain the public key from your IdP provider.
2. Add the public key to a location where general users can't write to.
3. Add a JSON file with the following content to keepconfig.d.

{
  "jwt": {
    "oicd": {
      "active": true,
      "algorithm": "RS256",
      "keyFile": "10-jwt.pubkey"
    }
  }
}

Configure a certificate for HTTPS

When configuring TLS, you can use JSON values or environment variables. You can use either of the two. When using both, the environment variable will take priority.

• Use the following entry to configure TLS for jks or pfx (set TLSType to the correct type):

{
  "TLSFile": "path.to.file",
  "TLSPassword": "password-in-clear-protect-this",
  "TLSType": "pfx"
}

Use the following to configure TLS for pem:

{
  "TLSFile": "path.to.file",
  "PEMCert": "path.to.crt.file",
  "TLSType": "pem"
}

Note

• TLSfile must point to private key, while the PEMCert must point to the certificate chain.
• If you won't define a password, you must set the value of TLSPassword to "".

• JKS: The Java Key Store. Only used by Java, follow the JKS documentation

• PEM: defined in RFC 1422, commonly used in http server

• PFX: defined in RFC 7292, the RSA provided Public-Key Cryptography Standards

Tip

It's your choice which key you want to use. Main considerations are the assessment of your security team and the ease of acquisition of a specific key format in your organization.

Enabling HTTPS using Domino Certificate Manager

If you are using Domino 14 or above and your certificates are stored in the Domino Certificate Manager, you may be able to enable HTTPS automatically. For more information, see Enable HTTPS using the Domino Certificate Manager.

To learn more about Domino Certificate Manager, see Managing TLS certificates with Certificate Manager.

Example of private key and a self-signed certificate using openSSL:

Bash code:

Generate a private key

openssl genpkey -algorithm RSA -out server-key.pem

Generate a certificate signing request (CSR)

openssl req -new -key server-key.pem -out server.csr

Self-sign the certificate

openssl x509 -req -days 365 -in server.csr -signkey server-key.pem -out server-cert.pem

Generate CA certificate

openssl req -new -x509 -days 365 -key server-key.pem -out ca-cert.pem

The configuration for TLS for pem would look like:

{
  "TLSFile": “server-key.pem”,
  "PEMCert": “server-cert.pem”,
  "TLSType": "pem"
}