DEBUG_CERTMGR – enables detailed debug output for Certificate Manager

🛠️

Parameter: DEBUG_CERTMGR

Short description: Enables detailed debug output for the Certificate Manager (certmgr) for diagnosing TLS certificate creation, ACME/Let's Encrypt workflows, and key rotation.

Profile

Parameter	`DEBUG_CERTMGR`
Category	Logging / Debug
Component	Server
Available since	12.0
Supported versions	12.0, 14.0, 14.5, 14.5.1
GUI equivalent	notes.ini only (no GUI)
Possible values	`0` = off (default), `1` = on

Description

With Domino 12, the Certificate Manager (certmgr) was introduced; it manages TLS certificates via certstore.nsf – including Let's Encrypt integration via ACME. DEBUG_CERTMGR=1 turns on detailed trace output for all steps: CSR creation, ACME account and order handling, DNS/HTTP challenges, key storage operations, and distribution to servers.

Indispensable for troubleshooting when, for example, a Let's Encrypt order fails, a certificate is not distributed, or TLS keys do not reach the expected database.

Example configuration


DEBUG_CERTMGR=1
Debug_Outfile=/local/notesdata/IBM_TECHNICAL_SUPPORT/certmgr_debug.log

Notes & pitfalls

Enable only temporarily – produces extensive logs.

Takes effect after restart task certmgr or a server restart.

Entries appear in console.log and in log.nsf.

For ACME problems, additionally check DNS/HTTP connectivity.

Complementary to Debug_Outfile, CERTMGR_* parameters, and certstore.nsf.