I have a client that uses only Nomad web clients. It is a large organisation and they issue their own certificates that I receive as a PFX-file. Everything have been running fine for almost two years.
Now the current certificate is about to expire in about two weeks so I received a new certificate and followed the instructions in https://help.hcl-software.com/domino/12.0.2/admin/secu_importingexistingcertificates.html and everything seems to be fine. The new certificate get the status 'Issued'. I then changed the status of the old certificate to 'Archived' and restarted the server.
But when I check the certificate in the browser it still shows the old certificate, not the new one. I have tested in both Edge (Version 131.0.2903.86) and Chrome (Version 131.0.6778.205) and I have cleared the cache. When I run 'tell certmgr show certs' it only show information for the new certificate.
Server is 12.02 FP2 running om Windows Server 2019.
I understand you checked two different browsers, and cleared cache in either, but have you tried a brand new install of a third browser? Firefox, Brave, etc? And or tried Incognito/inPrivate mode?
Have you tried accessing it locally in the network, like with its private address? It will warn of certificate mismatch (because local IP address is not valid with FQDN in the cert) but it will allow you to check the cert that the server is publishing.
IT department doesn't allow me to download and install unauthorised software unfortunately. I am very limited in what I caan do and have to rely on IT to get help. But they have other things to do than supporting a niche product within the organisation so that takes a lot of time.
But I tried using the IP number xx.xx.xx.xx:443 and I end up with the same OLD certificate. I guess this means that my server is handing out the old certificate...?
I must have missed something obvious but I cant figure out what? I guess that I can delete the old certificate but I am afraid that this would screw up everything and since I still have a week left to sort this out I don't dare to. And this shouldn't be necessary, I guess, since the old certificate is set as 'Archived'.
Some more information. I just compared (again) the two certifiactes in Cert store and the only difference (except for keys) is that the old (now archived) cert is imported from a .kyr file and has this file referenced in the Keyring file field and a comment that it was imported from that file.
But I thought that one of the good things with Cert Store is that we don't have to mess around with Kyrtool anymore.
The .kyr file isn't even on the server! I created the old (current) TLS Credentials from .kyr file and I think that the Keyring file field in the TLS Credentials document is just a reference so that you know where the information came from, but I am not sure. Regardless it works without the .kyr file on the server but only for six more days.
As a test I created a .kyr from the new PFX file and imported that into Cert Store but I get the exact same information as when I imported the PFX so that didn't help.
I guess I will have to use the .kyr the traditional way, without Certmngr, as a last resort if I am not able to get this going. I am planning for a server upgrade to R14 in the near future and hopefully that will help.
I had to rename the old Cert Store db and create a new one to get this working. I am not really sure why but it might be that the old certificate, that I manually set to Archived, was still in the loop somehow. Now I realised that I should have tested this but unfortunately I have deleted the old Cert Store db.