You can configure Domino to connect to services that use custom certificates which are external to the Domino cluster. In addition to public services like AWS S3, you might want to use private services in your security domain that are secured with custom certificates or a custom certificate authority.
The following are examples of private services:
-
Docker registry
-
Git server
-
S3 service
-
LDAPs
-
OIDC
-
Data sources
Domino checks for domino-custom-certificates ConfigMap in the Kubernetes cluster’s default namespace.
This ConfigMap must have a key named bundle with plaintext data of a certificate bundle in PEM format.
If the bundle exists, then Domino uses certificates from this bundle to connect to the external services.
Domino supports the following certificate types:
-
Custom Certificate Authority (CA): Certificates that certify the other certificates issued under this authority.
-
Self-signed certificates: Certificates that do not have a reference to the authority signing them.
The bundle is formatted as a series of concatenated certificates in PEM format. You must have the line breaks around the lines:
-----BEGIN CERTIFICATE—--
and
-----END CERTIFICATE—--
The bundle must contain all the certificates that you would typically use to connect to the private services, including intermediate and root certificates. Domino includes public certificates, such as DigiCert root certificates, by default so you do not have to include them. However, duplicate certificates will not cause any issues.
During Domino installation, you can add the contents of PEM bundle to the domino.yml configuration file with the top-level key custom_certificates.
The following is an example:
... custom_certificates: | -----BEGIN CERTIFICATE----- MIICKzCCAbGgAwIBAgIKe3G2gla4EnycqDAKBggqhkjOPQQDAzBaMQswCQYDVQQG EwJVUzETMBEGA1UECxMKZW1TaWduIFBLSTEUMBIGA1UEChMLZU11ZGhyYSBJbmMx IDAeBgNVBAMTF2VtU2lnbiBFQ0MgUm9vdCBDQSAtIEMzMB4XDTE4MDIxODE4MzAw MFoXDTQzMDIxODE4MzAwMFowWjELMAkGA1UEBhMCVVMxEzARBgNVBAsTCmVtU2ln biBQS0kxFDASBgNVBAoTC2VNdWRocmEgSW5jMSAwHgYDVQQDExdlbVNpZ24gRUND IFJvb3QgQ0EgLSBDMzB2MBAGByqGSM49AgEGBSuBBAAiA2IABP2lYa57JhAd6bci MK4G9IGzsUJxlTm801Ljr6/58pc1kjZGDoeVjbk5Wum739D+yAdBPLtVb4Ojavti sIGJAnB9SMVK4+kiVCJNk7tCDK93nCOmfddhEc5lx/h//vXyqaNCMEAwHQYDVR0O BBYEFPtaSNCAIEDyqOkAB2kZd6fmw/TPMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB Af8EBTADAQH/MAoGCCqGSM49BAMDA2gAMGUCMQC02C8Cif22TGK6Q04ThHK1rt0c 3ta13FaPWEBaLd4gTCKDypOofu4SQMfWh0/434UCMBwUZOR8loMRnLDRWmFLpg9J 0wD8ofzkpf9/rdcw0Md3f76BB1UwUCAU9Vc4CqgxUQ== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICTjCCAdOgAwIBAgIKPPYHqWhwDtqLhDAKBggqhkjOPQQDAzBrMQswCQYDVQQG EwJJTjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNo bm9sb2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0g RzMwHhcNMTgwMjE4MTgzMDAwWhcNNDMwMjE4MTgzMDAwWjBrMQswCQYDVQQGEwJJ TjETMBEGA1UECxMKZW1TaWduIFBLSTElMCMGA1UEChMcZU11ZGhyYSBUZWNobm9s b2dpZXMgTGltaXRlZDEgMB4GA1UEAxMXZW1TaWduIEVDQyBSb290IENBIC0gRzMw djAQBgcqhkjOPQIBBgUrgQQAIgNiAAQjpQy4LRL1KPOxst3iAhKAnjlfSU2fySU0 WXTsuwYc58Byr+iuL+FBVIcUqEqy6HyC5ltqtdyzdc6LBtCGI79G1Y4PPwT01xyS fvalY8L1X44uT6EYGQIrMgqCZH0Wk9GjQjBAMB0GA1UdDgQWBBR8XQKEE9TMipuB zhccLikenEhjQjAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggq hkjOPQQDAwNpADBmAjEAvvNhzwIQHWSVB7gYboiFBS+DCBeQyh+KTOgNG3qxrdWB CUfvO6wIBHxcmbHtRwfSAjEAnbpV/KlK6O3t5nYBQnvI+GDZjVGLVTv7jHvrZQnD +JbNR6iC8hZVdyR+EhCVBCyj -----END CERTIFICATE-----
The installer copies the contents of the custom certificates into the domino-custom-certificates ConfigMap.
After Domino is installed and running, you can recreate the domino-custom-certificates ConfigMap to update it. To do this, run the following commands:
kubectl delete configmap domino-custom-certificates kubectl create configmap domino-custom-certificates --from-file=bundle
where bundle is the new certificate bundle in concatenated PEM format.
After changing the certificates, you must restart all services.
When upgrading a Domino deployment to a new version, you can use the custom_certificates key in domino.yml to provide a new certificate bundle.
If the key is not yet specified, the installer will do the following:
-
Any existing
domino-custom-certificatesbundle will continue to be used, and can still be updated independently of the installer. -
If there are no existing
domino-custom-certificatesConfigMap, but the legacydomino-executor-certificatesConfigMap exists, it will be copied and upgraded to the new format/name.