Richard Pajerski Software development and consulting

Entries tagged [certificates]

One additional little feature...

by Richard Pajerski

Posted on Friday March 12, 2021 at 12:43PM in Technology

In an effort to cover some specific cases, a minor feature was just added to CertMatica (3.6.0) to automate copying LE certificates to additional locations on the server's file system.

The idea is to allow Domino to share the LE certificate with one or more services running on the same machine (such as a reverse proxy like Nginx or an alternate SMTP service) without further manual intervention.

CertMatica 3.6.0

CertMatica 3.6.0 Trial

CertMatica 3.5.1 - important note for Domino 9.x and 10.x servers

by Richard Pajerski

Posted on Friday March 05, 2021 at 08:53PM in Technology

First of all, a big "Thank you!" to all CertMatica customers!

Just out this week, CertMatica 3.5.1 is a maintenance release with simplified switching between Let's Encrypt test and production modes and minor improvements to logging and documentation.  However, for those running on earlier versions of Domino 9.x and 10.x servers, this release also includes an important update to the CertMatica Cacerts Utility which can be used to address potential connectivity errors caused by missing or expired intermediate certificates in the Domino JVM truststore (cacerts).  For information on Let's Encrypt infrastructure changes related to this update see

As always, feedback and commentary is always greatly appreciated!

New product for Domino keyrings: Aperture

by Richard Pajerski

Posted on Monday July 20, 2020 at 11:23AM in Technology

Since many development and administrative tasks in Notes/Domino can conveniently be carried out with great front-end tools like Domino Designer or Administrator, it can sometimes be inconvenient when we're required to use the command line or terminal to get things done.  Working with Domino keyrings is a case in point and one of the reasons why I developed Aperture.

Aperture is a lightweight desktop application that allows you to work with those .kyr files without having to resort to the command line.  It works with both the KYRTool and OpenSSL to allow you to visually create keyrings, view their contents, create Certificate Signing Requests and several other tasks you'd normally being doing on the command line.

Please visit the Aperture product page for more details:

As always, comments and suggestions are appreciated!

LEND 2.0 is now out and includes domain wildcard support

by Richard Pajerski

Posted on Friday December 28, 2018 at 07:29PM in Technology

[Edit February 2020: the LEND product has been renamed to CertMatica]

Version 2.0 of LEND is now available and comes with domain wildcard certificate support via DNS challenge.

Wildcard certificates are convenient particularly in situations where a single Domino server hosts multiple virtual sites, each of which needs SSL/TLS protection. Managing separate certificates for each Domino SSL site in this situation is feasible but not very practical since each one requires its own IP address.  A wildcard certificate takes care of that issue and fortunately, Let's Encrypt began offering wildcard certificates earlier this year.  However, as of this blog posting, they're only supported with the DNS-01 challenge type.

The DNS challenge feature was interesting to implement because Let's Encrypt DNS challenges do not offer the same level of automation as HTTP challenges.  With the DNS challenge, Let's Encrypt servers will query your hosting provider during the challenge/response phase instead of your HTTP server (which is queried when using the HTTP challenge).  Since there's no industry-standard way to modify DNS records, the challenge must be entered manually at renewal time, typically using your hosting provider's custom web interface. Fortunately, LEND now has built-in workflow to remind administrators when to do so at renewal time!

Take LEND for a test ride and let me know what you think.