Certificate Store: Submit vs Save
I regularly receive question about the Certificate Store and CertMgr, which made me realise that there’s a lot of confusion around the Submit Request and the Save & Close buttons in the store and when to use what. Time for an article to hopefully solve some of that confusion.
It’s quite rare that a form contains both a Submit and a Save & Close button, so I understand the confusion, but they do mean something distinctly different, which is also the case for the Certificate Store:
- Submitting a document means the document still needs to be processed further (by the CertMgr task in this case)
- Save & Close means the document is done and just needs to be stored
This gives you a guideline of when to use what, but let’s add some examples to make this more clear.
Creating a Certificate Signing Request (CSR)
You need the Certificate Manager to create a CSR, so you need to submit.
Adding the received certificate to a CSR
After you’ve pasted the certificate, it still needs to be combined and this is done by the server. Therefore you need to submit the document
Requesting a certificate from an ACME provider
This is work for the Certificate Manager, so you need to submit.
Importing an existing certificate
Once the certificate is imported, it’s done. No further processing needed. So you need to Save & Close.
Adding an extra server to an existing certificate
This one is slightly tricky. It’s the server that re-encrypts the certificate for the new list of servers. However, the certificate itself doesn’t need processing, so you use Save & Close.
Requesting a new certificate from an ACME provider for an existing certificate
Did you know that you can also do this for previously imported certificates? The CertMgr will create a CSR and submit it to the ACME provider and you need to Submit the document to put this in action.
To put this in a table:
Action | Submit | Save & Close |
---|---|---|
Creating a Certificate Signing Request (CSR) | ✓ | |
Adding the received certificate to a CSR | ✓ | |
Requesting a certificate from an ACME provider | ✓ | |
Importing an existing certificate | ✓ | |
Adding an extra server to an existing certificate | ✓ | |
Requesting a new certificate from an ACME provider for an existing certificate | ✓ |
The Certificate Manager is quite forgiving btw. If you accidently put an existing certificate in the state ‘pending’, by submitting it when you should have used Save & Close, the certificate will still be used if it’s valid. You can fix it by changing the state back to ‘Issued’ and using Save & Close.
On Importing Certificates
Another subject on which I often receive questions is on importing certificates. If you want to import an existing kyrfile on the server (after a server upgrade), make it easy for yourself and don’t try to do this in the Certificate Store. The simple way to do this is from the Domino console (replace <kyrfile.kyr> with the actual filename):
load certmgr -importkyr <kyrfile.kyr>
The certificate will appear in the Certificate Store.
If you import a certificate through the Certificate Store, it’s important to first select the servers by which the certificate should be used (Servers with access) and then import the key. As the encryption is done at the moment of import, you would otherwise have servers for which the key is not encrypted and you will get errors on the console telling you so:
Cannot read private key from TLS Credentials document
If you already ran into this, there is an easy solution. Change the Status manually to “Update Server List” and Save & Close the document. This will re-encrypt the certificate for the current servers.