CA Process

Last edited 7/28/2005 © IBM 2005 1

The

CA Process

In

Notes/Domino 6

Last edited 7/28/2005 © IBM 2005 2

Table of Contents

Overview - The Domino Server-based Certification Authority ......................................... 3 Option One - Migrating a Domino certifier to the CA process .......................................... 4 Loading the CA Process after Migration ............................................................................ 7 How to use the CA Process to Register Users .................................................................... 9 Common Errors that Occur using the CA Process............................................................ 11 Option Two - Creating an Internet Certifier with the CA process.................................... 13 Setting up the Certification Requests Database ................................................................ 17 Setting up the Key Ring and Merging the Internet Certificate ......................................... 19 Manually Processing Requests ......................................................................................... 22 Configuring the HTTP Server for SSL ............................................................................. 27 Installing the Client Certificate for SSL ........................................................................... 32 Testing the Client Certificate ............................................................................................ 38 Option Three - Migrating an R5 Internet Certifier to the CA Process.............................. 40 Option Four – Using the CA Process with S/MIME ........................................................ 43 Administration of the CA Process .................................................................................... 46 Overview – Administrator Roles ...................................................................................... 48 CA Commands.................................................................................................................. 49 Adding Administrators to a Certificate............................................................................. 51 Disabling a Certifier.......................................................................................................... 52 Enabling a Certifier........................................................................................................... 53 Revoking a Certificate ...................................................................................................... 54 Removing a Certifier from the CA Process ...................................................................... 57 Administration Tips .......................................................................................................... 58 Encrypting the Certifier ID ............................................................................................... 59 Removing Passwords for Certifier Activation.................................................................. 62 Renaming the ICL Database ............................................................................................. 64 Confirming a CRL has run using the CA Process ............................................................ 65 Confirming Certificate Revocation................................................................................... 66 Creating a Local Copy of the Certifier ID ........................................................................ 67 Recovering a Certifier....................................................................................................... 68 Self-service resources on the web:.................................................................................... 70

Last edited 7/28/2005 © IBM 2005 3

Overview - The Domino Server-based Certification Authority

Introduction The CA process is a Domino server task that is used to manage and process

certificate requests. The CA process runs as an automated process on Domino servers that are used to issue certificates. A Notes or Internet certifier is linked to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.

Benefits of Domino CA process

Consider using the Domino CA process because it:

• Does not require access to the Domino certifier ID and ID password. After enabling certifiers for the CA process, Administrators can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password

• Supports the registration authority (RA) role, which Administrators use to delegate the certificate approval/denial process to lower-echelon administrators in the organization

• Provides a unified mechanism for issuing Notes and Internet certificates • Simplifies the Internet certificate request process through a Web-based certificate

request database • Issues certificate revocation lists, which contain information about revoked or

expired Internet certificates • Creates and maintains the Issued Certificate List (ICL), a database that contains

information about all certificates issued by the certifier • Is compliant with security industry standards for Internet certificates -- for example,

X.509 and PKIX

CA process steps

There are four basic options when configuring the CA process:

• Option One: Migrating a Notes/Domino Certifier to the CA process • Option Two: Creating an Internet Certifier with the CA process • Option Three: Migrating an R5 Internet Certifier to the CA process • Option Four: Using the CA process with S/MIME

Last edited 7/28/2005 © IBM 2005 4

Option One - Migrating a Domino certifier to the CA process

Introduction The first option when configuring the Domino server-based CA is to migrate the

Domino certifier to the CA process.

Before you begin

Before performing the following steps to migrate a Domino certifier, Administrators must: • Have at least one OU – In this document the sample OU is called West/DominoSix • Check the Location document in the Domino Administration client to make sure

that the “Home/Mail Server” field is set to the server on which is being configured for the CA process

• Check the Advanced tab of the ACL for the Domino Directory (names.nsf) and for the Administration Requests database (admin4.nsf) to make sure the server is listed as the Administration Server for both databases

Note: If the Administration Server is incorrect for either database, this error will occur on the server console:

Admin Process: Received the following error performing a Modify CA configuration in Domino Directory request on <servername>. A person document for either the requests signer or the Names(s) acted upon was not found in any local trusted directories for which this server is the Administration Server.

Migrate the certifier

To migrate the certifier:

Step Action

1 In the Domino Administration client, select the Configuration tab. 2 Expand the Tools pane and select Certification Migrate Certifier. 3 In the “Migrate Certifier” dialog, click the Select button and choose the

certifier id file for the OU to be migrated. 4 Click OK. The ID path and filename should appear in the Migrate

Certifier dialog:

Continued on next page

Last edited 7/28/2005 © IBM 2005 5

Option One - Migrating a Domino certifier to the CA process, Continued

Migrate the certifier (continued)

Step Action 5 Click OK and enter the certifier’s password when prompted. 6 In the “Migrate OU” dialog, select the Basics tab and enter the following

information:

Field Label Sample Value Select the server where

this certifier will run on Verify that this is the name of the server being used for configuring the CA process

Name of the ICL database to be created

(Optional) The name of the ICL database that will be created can be changed to reflect the name of the certifier. There is no significance to the default name of the ICL database.

Encrypt certifier ID with Change this from Locking ID to Server ID.

7 In the “Administrator(s)” section of the “Migrate OU” dialog, click Add

and add the server’s name to the Administrator’s list:


Last edited 7/28/2005 © IBM 2005 6

Option One - Migrating a Domino certifier to the CA process, Continued

Migrate the certifier (continued)

Step Action 8 After adding the server to the list of administrators, check the box for RA.

This option will be used in later steps. Click OK. 9 Click OK on “Success…” dialog.

Last edited 7/28/2005 © IBM 2005 7

Loading the CA Process after Migration

Introduction After migrating the certifier to the CA process, load the CA process and use AdminP

to process the migration request. To accomplish this, enter the following commands at the server console:

• load ca • tell adminp process all • tell ca refresh • tell ca status

Load ca This command starts the CA process on the server. Administrators can also add ca

to the ServerTasks= line of the notes.ini for the Domino server to load it automatically when the server is started.

Note: When loading the CA Process, if an error message like the following appears on the console: “CA Process ( servername/org ): No certifier configuration found for this server,” the CA process cannot locate any certifiers for the CA process on this server.

Tell adminp process all

The Administration Process is crucial to the CA process task. After typing tell adminp process all, open the Administration Requests database (admin4.nsf). Select the “All Requests by Server” view and notice a document has been created to modify the CA configuration:

The response document (with the green checkmark) indicates that the request has been successfully processed by adminp.

Tell ca refresh This command applies the changes without restarting the CA task.

Tell ca status After entering the tell ca status command, the migrated certifier will be listed as a

part of the CA process. [We will discuss the information given by the tell ca status later in this document.]


Last edited 7/28/2005 © IBM 2005 8

Loading the CA Process after Migration, Continued

Results of certifier migration

Before adminp processes the CA migration request, the Certifier document will look like this:

After the migration request is processed, a CA Configuration tab is added to the document:

Last edited 7/28/2005 © IBM 2005 9

How to use the CA Process to Register Users

Introduction Once Administrators have migrated the certifier and processed the migration

request, the Notes Administration client or the Web Administration client can be used to register users with the CA process.

Using the Notes Admin client

To register users in the Notes Administration client:

Step Action

1 Expand the Tools pane on the Configuration tab of the Administration client. Expand Registration and select Person.

2 If prompted for a password, click Cancel. 3 Choose Use the CA Process and then select the certifier in the “CA

configured certifiers” drop-down list. Click OK:

Note: Anyone with RA status for that certifier can then register a person without having access to a certifier ID.

Using the Web Admin client

To register a user using the Web Administration client:

Step Action

1 Launch a browser and enter the URL for the Web admin client: http://YourFullyQualifiedInternetServername/webadmin.nsf.

2 Select the Configuration tab.


Last edited 7/28/2005 © IBM 2005 10

How to use the CA Process to Register Users, Continued

Using the Web Admin client (continued)

Step Action 3 Expand the Tools pane. Expand Register and select Person. 4 Choose the certifier and click OK. 5 The “Choose Certifier and Policy” dialog allows Administrators to choose

a CA certifier and an explicit policy:

Note: Notes users registered with the CA process are not documented in the CERTLOG.NSF database. The $UpdatedBy field in the Person document may contain their name, but the number of entries in that field is limited.

Last edited 7/28/2005 © IBM 2005 11

Common Errors that Occur using the CA Process

Introduction When using the CA process to register users, Administrators may encounter one of

several common error messages.

RA errors Using the Domino Web Administrator requires that both the Web Administrator and

the server must be listed as RAs. Recall that we listed the server as an RA earlier in this module. If the server is not listed, this error message will appear: Unable to perform registrations: You are a Registration Authority of the CA configured certifier ‘/West/DominoSix’, but the current server is not. In order to perform registrations, this server also needs to be trusted as an authorized Registration Authority. If the Web Administrator is not listed, this error message appears: Unable to perform registrations: You are not an authorize Registration Authority (‘RA’) and cannot perform any registrations.

User errors When registering a new person using the CA process, the certificate for the person

will be attached to that user’s Person document in the Domino Directory. When the user attempts to log in, the new certificate is downloaded to the user’s ID file, completing the user registration. The user will be unable to successfully log in before the certificate has been issued, and any attempts to do so will result in this error message: Server Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later. Or if the user is trying to complete workstation setup, the error will be: The encrypted data has been modified or the wrong key was used to decrypt it.

In both cases, administrators will need to keep in mind that the CA process has to run, the Administration process (the “Recertify user in the Domino Directory” request) has to run, and replication must take place to the proper Domino Directories.


Last edited 7/28/2005 © IBM 2005 12

Common Errors that Occur using the CA Process, Continued

Misc errors There is a situation where all of the required processes appear to complete, but

users still receive these error messages trying to connect: Server Error: Your certificate was found to be invalid. Check your local log for details. -or- Server Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later. This situation can arise when many users are registered and the administration process completes before the Person document is updated. See Technote 1174391 for details.

Last edited 7/28/2005 © IBM 2005 13

Option Two - Creating an Internet Certifier with the CA process

Introduction The second option when configuring the CA process is to create an Internet certifier.

After creating the Internet certifier, the server must be configured to use the certifier. This process involves the following: • Creating the certificate requests database • Creating the server key ring file and merging the Internet certificate • Configuring the HTTP server for SSL access • Installing the Client certificate for SSL

Overview – Internet certifiers

A certificate authority (CA) is the link that allows a server and client to use SSL to communicate and to use S/MIME to exchange mail. Like a mutual friend, a CA vouches for the identity of a server and client by issuing Internet certificates that are stamped with the CA’s digital signature. The digital signature ensures the client and server that both the client certificate and the server certificate can be trusted. If the client and server authenticate – that is, identify the digital signature on the certificate – they can establish a secure SSL session or exchange a secure S/MIME message. If the client and server cannot authenticate each other, they cannot establish a secure session or exchange a secure message.

The server certificate must contain the CA certificate as a trusted root. The trusted root allows servers and clients that have a common CA certificate to communicate. Before merging a server certificate signed by a CA, merge the CA certificate into the key ring file as a trusted root.

Before you begin

Before creating an Internet certifier with the CA process, check the following:

• The server should be listed as the Administration server in the Advanced tab of the ACL in the Domino Directory and the Administration Requests database (admin4.nsf)

• On the Basics tab of the server document, make sure that the field “Fully qualified Internet host Name” is correct, for example, server1.acme.com.

Creating an Internet Certifier

To create an Internet certifier with the CA process:

Step Action

1 From the Administration client, select the Configuration tab. 2 Expand the Tools pane, expand Registration and select Internet

Certifier.


Last edited 7/28/2005 © IBM 2005 14

Option Two - Creating an Internet Certifier with the CA process, Continued

Creating an Internet Certifier (continued)

Step Action 3 In the “Register Internet Certifier” dialog, choose, “I want to register a

new Internet certifier that uses the CA process:”

4 Click OK. 5 In the “Register New Internet Certifier” dialog, click Create Certifier

Name:


Last edited 7/28/2005 © IBM 2005 15



Step Action 6 In the next dialog box, enter a value in the Common Name field, for

example, “North” and click OK:

The rest of the fields are not required. If they are filled out, they make the name of the certifier more complex.

Note: A more complex name might be used for specifying different locations for one company. For example, all the certifiers might have the same Common Name, but the Organization Unit, City or Locality, State or Province, or Country might be different.

7 This “Creating certifier” dialog should reappear with the name of the certifier in the title bar, such as: “Creating certifier (CN=North).”

8 Change the “Encrypt certifier ID with” field to Server ID. Make sure that your administrator is listed as an RA and CA:


Last edited 7/28/2005 © IBM 2005 16



Step Action 9 Click OK and a dialog indicating successful creation of the certifier

should appear. Click OK.:

10 Open the Administration Requests database (admin4.nsf) and expand the All requests by server view. There should be a newly created document for the certifier under “Modify CA Configuration in Domino Directory.” When opened, the document should look like the following:

11 Close admin4.nsf and enter the following commands at the server console:

Tell adminp process all Tell ca refresh Tell ca status

Results – creating and Internet certifier

There should now be two certifiers listed as part of the CA process. The status command gives us the information we need to identify the certifiers within the CA process. Each certifier has a number which is used for many of the tell commands. For more information, see the section in this document called “Certificate Authority Process Tell Commands.” For example:

The first certifier is the “West” certifier. It is a Notes certifier that has been migrated to the CA process. The third line indicates that the certifier is active. The fourth line gives the path and database name for the ICL database related to this particular certifier. Also listed is the certifier just created, “North”, which is of certifier type “Internet.”

Last edited 7/28/2005 © IBM 2005 17

Setting up the Certification Requests Database

Introduction A Certification Request database is needed in order to use the Internet certificate

just created.

Creating the request database

To create the certification request database:

Step Action

1 From the Administration client choose File Database New. 2 Enter the following in the “Specify New Database Name and Location”

section of the “New database” dialog: Field Label Sample Value Server Choose the server. Title Enter a database title, for example, “Certificate

Requests for North.”

File name Enter a database file name, for example, certreqNORTH.nsf. Keep in mind that each certifier must have its own database so the file name should be easily identifiable.

3 Enter the following in the “Specify Template for New Database” section

of the “New database” dialog: Field Label Sample Value Server Choose the server. Template Select the Show advanced templates option and

select “Certificate Requests (6).”

4 Click OK. 5 Close the “About this database” document. 6 Enter the following information in the Database Configuration document: Field Label Sample Value Server Your hierarchical server name Certifier CN=North

Supported Certificate types

Both client and server certificates

Extended key usages

Server and client authentication

Requesting Process

Manual (So that we can step through the RA approval function)


Last edited 7/28/2005 © IBM 2005 18

Setting up the Certification Requests Database, Continued

Creating the request database (continued)

Step Action Field Label Sample Value

Mail confirmation

No

7 Save and close the document.

Note: This page contains client certificates that by default are issued for only one year. Administrators may wish to extend this time period.

Last edited 7/28/2005 © IBM 2005 19

Setting up the Key Ring and Merging the Internet Certificate

Introduction After creating the certificate request database, the next step is to set up the server

key ring file.

Create a key ring

To create a key ring file:

Step Action

1 Open the Domino administration client, select the Files tab and locate the Certification Requests database, for example, certreqNorth.nsf. Open the database.

2 Expand the view Domino Key Ring Management and select Create Key Ring.

3 Enter the following properties in the “Create Key Ring” document:

Field Label Sample Value Key Ring File Name Keyfile.kyr Key Ring Password password

Key Size 1024 Common Name Strider.austin.ibm.com Organization DominoSix

Note: The remaining fields on the form are optional.

4 Click Create Key Ring.


Last edited 7/28/2005 © IBM 2005 20

Setting up the Key Ring and Merging the Internet Certificate, Continued

Create a key ring (continued)

Step Action 5 A success dialog should appear once the key ring is created. Click OK.

Note: By default, the key file is created in the data directory of the client, not the server. Those files will be moved to the server later in this document.

6 After clicking OK, there will be a prompt to merge the Internet certificate into the key ring. Confirm that the information is correct and click OK:


Last edited 7/28/2005 © IBM 2005 21

Setting up the Key Ring and Merging the Internet Certificate, Continued

Create a key ring (continued)

Step Action 7 The next prompt indicates that the certificate was merged into the key

ring. Click OK.

8 Click OK at the dialog containing the message: “Certificate Request Successfully Submitted for Key Ring.”

Last edited 7/28/2005 © IBM 2005 22

Manually Processing Requests

Introduction When creating the Certificate Requests database the “manual” option was selected

in the Request Processing field in the database configuration document. After merging the certificate, the request must be manually processed.

Processing Requests

To manually process the certificate request:

Step Action

1 Open the Certification Request (certreqNorth.nsf) database. Expand the Submitted/Waiting for Approval view.

2 A pending Server Request should appear. Press F9 if it is not visible:

3 Select the document and click Submit Selected Requests. 4 Click OK at the dialog: “Successfully submitted 1 request(s) to the

Administration Process.” 5 Examine the Server Request. It should have a status of “submitted:”

6 Open to the Administration Requests database (admin4.nsf). 7 Make sure the CA process is loaded on the server. 8 Expand the Certification Authority Requests view and select

Certificate Requests:

9 Edit the document and click Approve Request:

Note: This step has to be performed by someone that has been granted RA access to this Internet Certifier.


Last edited 7/28/2005 © IBM 2005 23

Manually Processing Requests, Continued

Processing Requests (continued)

Step Action 10 The status of the document in admin4.nsf should change from “New” to

“Approved.” 11 The server console should indicate that a request was processed and

the document in admin4.nsf should change from Approved to Issued:

12 Open the Certificate Request (certreqNorth.nsf) database and select the Submitted/Waiting for Approval view.

13 Select the document and click Pull Selected Requests. 14 A cross certification request will appear. If the defaults are accepted, an

Internet Cross Certificate will be created in your local address book. Click Cross Certify:

Note: The reason for the “cross certify” request is that the document signature is not the Organization (DominoSix), but rather the Internet Certifier, “North.” Notes always checks document signatures, so unless the Internet Cross Certificate is in your local address book, the prompt for the cross certificate will occur each time an attempt is made to use the North certifier. The first time this is accessed, Administrators may want to choose the appropriate Domino certifier for your server. The Internet Cross Certificate will then be dropped into the Domino Directory and any administrator that might need the cross certificate can download it by using Actions Retrieve Certificates from Home Server in the Notes client.


Last edited 7/28/2005 © IBM 2005 24



Step Action 15 Once the cross certification process has been completed, the request

will be pulled from the Administration database:

16 To see the certificate in your address book, open the local address book, expand the Advanced view and select the Certificates view:

17 Open the Issued/Rejected view of the Certification Requests database.

Locate the Server request document:

18 Open the document and copy the “Request ID” to the clipboard:

19 In the same database, choose Domino Key Ring Management

Pickup Key Ring Certificate.


Last edited 7/28/2005 © IBM 2005 25



Step Action 20 Enter the key ring file name and password, paste the pickup ID, and click

Pickup Certificate:

21 Verify the information in the “Merge Signed Certificate Confirmation”

dialog and click OK:

22 Once the certificate is merged a success dialog appears.


Last edited 7/28/2005 © IBM 2005 26



Step Action 23 Transfer the keyfile.kyr and keyfile.sth files from the data directory of the

client to the data directory of the server.

Last edited 7/28/2005 © IBM 2005 27

Configuring the HTTP Server for SSL

Introduction After processing the certificate request, the next step is to enable SSL on the server.

Enabling SSL To enable SSL on the server:

Step Action 1 In the Administration Client, select to the Configuration tab. Expand

Server and select Current Server Document. 2 Edit the document and select Ports Internet Ports. By default, the

file name keyfile.kry should be already filled out. Enter values on the Web tab as in the example below:

3 Switch to the server console and enter the command: tell http

restart.

Verifying SSL To verify the SSL configuration:

1 Create a database on the server with the file name of web.nsf. Use the discussion or document library templates.

2 When the database opens, check the ACL and make sure that Anonymous is set to No Access. Give at least Author access to a user for this test.


Last edited 7/28/2005 © IBM 2005 28

Configuring the HTTP Server for SSL, Continued

Verifying SSL (continued)

3 Close the database and try to open it with a browser using https with a URL like the following: https:\\FullyQualifiedInternetHostName\web.nsf.

Note: The steps in this section assume you are using Microsoft Internet Explorer.

4 A prompted to accept the Internet certificate will appear:

5 Click View Certificate to see that it is from “North:”


Last edited 7/28/2005 © IBM 2005 29



Step Action 6 Click Install Certificate.

Note: Keep in mind that this certificate will only be in this browser on this particular machine. The certificate will have to be imported to each browser on every machine that is used. If this option is unacceptable or if importing Internet certificates into the Notes client is an option, see the Domino on-line Help topic: “Exporting and importing Internet certificates.”

7 At the “Welcome to the Certificate Import Wizard” dialog, click Next. 8 Choose “Automatically select the certificate store based on the type of

certificate:”

9 At the “Completing the Certificate Import Wizard” dialog, click Finish. 10 Click OK on the message: “The import was successful.” 11 Click Yes on the “Security Alert:”


Last edited 7/28/2005 © IBM 2005 30



Step Action 12 Click Yes to be prompted for the name and password of the user:

13 Enter the name and password and click OK. 14 When using certain templates (for example, the discussion or document

library templates) a “Security Information” dialog will appear:

To see the padlock in the browser to prove that SSL is working, click No. Otherwise, click Yes, which means that some of the information on the page will not be encrypted.

15 The view for the database should appear and, depending on which JVM is being used, users may receive this dialog (for the Microsoft JVM, there would be no prompt):


Last edited 7/28/2005 © IBM 2005 31



Step Action 19 Click More Details to see detailed information about this request:

20 Click Close to accept the certificate into the JVM and then click Always on the previous dialog box which will reappear.

21 It is possible to receive more requests to trust certifiers depending on the JRE that is being used. Once the users have accepted those requests, the SSL connection will be made.

Note: When only Server Authentication is enabled on the Domino server, the server’s identity is authenticated by a client, but the client’s identity is not authenticated by the server. For the Internet client to authenticate the server’s identity, the client checks the public key in the Domino server’s Internet certificate and verifies that the Domino server’s CA is marked as a trusted root in the browser.

When server authentication AND client authentication are both enabled on the Domino server, the server’s identity is authenticated by a client and the client’s identity is authenticated by the Domino server. For the server to authenticate the client’s identity, it checks the Person document in the Domino Directory that contains the SSL public key from the client certificate. The same Person document also lists the names that a Domino server can use to authenticate the Internet client.

Last edited 7/28/2005 © IBM 2005 32

Installing the Client Certificate for SSL

Introduction After configuring the HTTP server for SSL, the next step is to install the client

certificate for SSL.

Installing Certificates

To install the client certificate for SSL:

Step Action

1 Access the Certificate Requests database from a browser using the URL: http://FullyQualifiedInternetHostName/certreqNORTH.nsf.

2 Click Request Client Certificate. 3 Fill out the following fields:

--Your Full Name --At least one other name component, for example, Organization --In the return e-mail field use a fake address for this example.

4 Click Submit Certificate Request and this dialog box should appear:

5 Click Yes to receive a confirmation dialog:

6 Leave the browser open and return to the Notes Administration Client. 7 Switch to the Files tab and open certreqNORTH.nsf.


Last edited 7/28/2005 © IBM 2005 33

Installing the Client Certificate for SSL, Continued

Installing Certificates (continued)

Step Action 8 Select the Pending/Submitted Requests view. 9 Select the new request and click Submit Selected Requests:

10 A confirmation dialog will appear:

Click OK.

11 The new client request should change from “Pending Submission to Administration Process” to “Submitted to Administration Process” in the twisty title:

Note: This step would be skipped had “Automatic” been selected in the configuration of the Certificate Request database.

12 If the Certificate Request database were configured to automatically submit requests, Adminp would drop the request automatically into the admin4.nsf (every five minutes), where the following steps are then taken:

Step Action 1 Open admin4.nsf and expand the Certification Authority

Requests view. Select Certificate Requests:

2 Open the new request and click Edit Request. 3 Click Approve Request. 4 In admin4.nsf, the document status should change to

Approved:

13 The server console should indicate that the certificate has been

processed:


Last edited 7/28/2005 © IBM 2005 34



Step Action 14 Switch to the Certificate Requests database, select the document and

click Pull Selected Requests:

Note: This step would be skipped if “Automatic” had been selected in the configuration of the Certification Request database. Automatic processing moves the approved request back to the Certificate Request database every five minutes.

15 A confirmation that the request was successfully pulled will appear:

Click OK.

Note: If this error message occurs,

it is very likely that the CA process is not loaded on the server. Once the CA process is loaded the certificate should process:

16 Check the user’s Person Document in the Domino Directory. The Administration Process adds information concerning the new Internet Certificate:


Last edited 7/28/2005 © IBM 2005 35



Step Action 17 Once the certificate has been pulled, switch to the view Issued/Rejected

Certificates to find the new certificate:

18 Double-click the certificate and copy the “Request ID” to the clipboard in order to pickup the certificate in the browser:

19 Return to the browser and click Pick up Client Certificate. Paste the “Request ID” from the Certificate Pickup document in the Certificate Requests database:

20 Click Pick Up Client Certificate. 21 Click Install Certifcate:


Last edited 7/28/2005 © IBM 2005 36



Step Action 22 Click Yes at the following dialog:

23 Click OK on the “Certificate installed successfully” dialog.

Viewing the Certificate

To view the certificate in a browser:

Step Action

1 View the Internet Certificate in IE by selecting Tools Internet Options.

2 Select the Content tab and click Certificates:

3 To view detailed information, double-click the individual certificates:


Last edited 7/28/2005 © IBM 2005 37


Automatic requests

The proceeding process was done manually to get the feel of how the process works. In most situations, the administrator will have the process set up to run automatically. When the process runs automatically, the user will receive an e-mail after the certificate is approved by adminp and pulled over to the Certificate Requests database. The e-mail looks like this: To: [email protected] From: Bob Admin/DominoSix Subject: Your certificate request has been approved This mail indicates that your web request for a certificate has been approved. To continue with the installation of your certificate, click the following link, or paste it into your browser address bar if it is not clickable: http://FullyQualifiedInternetHostName.com/certreqNORTH.nsf/R5+Client+Pickup?OpenForm&REQUESTID=161AABFEFAD16E1C86256FAF006B2D61 Alternate method: Use your certificate pickup ID: 161AABFEFAD16E1C86256FAF006B2D61 to pick up your certficate at the "Pick Up Certificate" page: http:// FullyQualifiedInternetHostName.com /certreqNORTH.nsf/R5+Client+Redirect?OpenForm In this case, when the user copies the top URL in the e-mail to a browser, they get to this screen:

This process eliminates steps for the end user and makes the process less confusing.

Note: If Automatic process is chosen for the Certificate Requests database, make sure the signer of the agents is listed in “unrestricted methods and operations” in the Security tab of the server document.

Last edited 7/28/2005 © IBM 2005 38

Testing the Client Certificate

Introduction After installing the client certificate for SSL, administrators should test the

configuration.

Testing the certificate

To test the client certificate configuration:

Step Action

1 In the Server document, select Ports Internet Ports. 2 Choose “Yes” for “Client certificate.” This will force the server to request

client certificates:

3 Recycle the http server by entering the command: tell http restart. 4 Use the browser to open the database created earlier:

https://FullyQualifedInternetHostName/web.nsf. 5 This dialog should appear:

Click OK. If the client certificate has not been successfully imported, there will be no certificate to select in the dialog.

6 Click on View Certificate to see the “North” Internet certificate:


Last edited 7/28/2005 © IBM 2005 39

Testing the Client Certificate, Continued

Testing the certificate (continued)

Step Action 7 Click OK and then when the previous screen appears click OK again. 8 After these steps, connection to the web page should be allowed.

Last edited 7/28/2005 © IBM 2005 40

Option Three - Migrating an R5 Internet Certifier to the CA Process

Introduction The third option when configuring the CA process is to migrate an R5 Internet

certifier to the CA process (the same application can be used in Domino 6).

Migrating an R5 Certifier

To migrate an R5 Internet certifier to the CA process:

Step Action

1 From the Administration client, select the Configuration tab. 2 From the Tools menu click Migrate certifier. 3 Click the Select button and choose the CAKey.kyr file for the certifier to

be migrated. Choose Select:

3 Type the password for the certifier and click OK:


Last edited 7/28/2005 © IBM 2005 41

Option Three - Migrating an R5 Internet Certifier to the CA Process, Continued

Migrating an R5 Certifier (continued)

Step Action 4 Choose Server ID for “Encrypt certifier ID with:”

5 Click OK. 6 Click OK on the “Success: A newly created, migrated or recovered

certifier will be available…” dialog. 7 This process creates two requests in the Administration Requests

database. 8 Open admin4.nsf and select the Requests All requests by server

view. 9 Look for the “Modify CA Configuration in Domino Directory” document:

There should also be a “Store Certificate Revocation List in Domino or LDAP Directory” document:


Last edited 7/28/2005 © IBM 2005 42

Option Three - Migrating an R5 Internet Certifier to the CA Process, Continued

Migrating an R5 Certifier (continued)

Step Action 10 As the requests are processed, check the server console for the

following error: Admin Process: Received the following error performing a store Certificate Revocation List in Domino or LDAP Directory request on CN=DominoSecure/O=Domino/ST=Texas/C=US to be created. Will try to process this request again at 04/06/2005 10:05:58 AM.

When creating an Internet certifier, two adminp requests are created -- one to create the certifier record, one to store the crl. The error indicates that the one that stores the crl was trying to execute before the certifier document was created so the request will be performed at a later time. The process will complete automatically, or to help it along type tell adminp process all and tell ca refresh at the server console.

11 From the server console, issue the command: tell ca status. The results will show that the Internet certifier has been migrated:

12 To view the certifier document that is created, switch to the Certificates view on the Configuration tab of the Administration client to see the document for the certifier:

Last edited 7/28/2005 © IBM 2005 43

Option Four – Using the CA Process with S/MIME

Introduction The fourth option for using the CA process is to configure it for use with S/MIME.

S/MIME Defined

S/MIME stands for Secure Multipurpose Internet Mail Extension. S/MIME is a secure e-mail standard based on an e-mail standard called MIME. S/MIME does not play a key role in standard Notes e-mail. Notes uses its own features to protect Notes Mail. However, not everyone is in a Notes environment. Domino administrators use the CA process to automatically issue x.509 certificates to Notes users, allowing them to use S/MIME without having to acquire digital IDs on their own. To do this, the Domino administrator selects Person records from the Domino Directory and chooses Actions Add Internet Cert to Selected People. The Administration Process then issues an Internet certificate for each user based on the public key stored in the Person record. When the user next authenticates with their home server, the certificate is automatically added to the user's ID file.

A Notes user ID file can store both Notes and Internet certificates. Notes certificates are always present, but Internet certificates must be issued by Domino administrators. There is an automatic process in the Domino Directory to issue Internet certificates.

Adding certificates

To store Internet certificates in Person documents:

Step Action

1 From the Domino Administrator, select the People & Groups tab. Expand the People view.

2 Select the names of the users who need Internet certificates.

Note: All Notes users must have valid Internet addresses specified in their Person documents.

3 Choose Actions Add Internet Cert to Selected People. 4 Select the correct registration server, which appears at the top of the

dialog next to the Server button. 5 Choose the option to use the CA process. 6 Choose the “Supply the certifier key ring file and password” option to use

the flat CA's key ring file. 7 In the “Add Internet Certificates to Selected Entries” dialog, confirm that

the expiration date is valid. Change the date, if necessary.


Last edited 7/28/2005 © IBM 2005 44

Option Four – Using the CA Process with S/MIME, Continued

Adding certificates (continued)

Step Action 8 Click Certify:

9 Click OK at the status dialog:

10 Open the Administration Requests database. In the Administration

Requests database the request will appear in two different places. 11 Select Certification Authority Requests Certificate Requests to

see the issued certificate:

12 Select Requests All Requests by Server to see the request to store the certificate in the Domino Directory:


Last edited 7/28/2005 © IBM 2005 45

Option Four – Using the CA Process with S/MIME, Continued

Adding certificates (continued)

Step Action 13 Open a Person document for one of the people selected previously. The

certifier will also be added to the Person document:

Note: The next time the user accesses their mail file or opens any database on the server, Notes recognizes that there is a certificate in the Person document that is not in the user's ID file. That certificate is then automatically placed in the user's ID file.

Viewing certificates

To see the Internet certificate in the Notes ID file:

Step Action

1 From the Notes client, select File Security User Security Your Identity Your Certificates.

2 Select “Your Internet Certificates” from the drop down list:

3 Click Close.

Last edited 7/28/2005 © IBM 2005 46

Administration of the CA Process

Introduction The following section of this document covers CA components, administration tasks

and relevant commands.

ICL database The core of a CA certifier is the Issued Certificate List (ICL) database created when

the certifier is created or migrated to the CA process. Each certifier has its own ICL database. The ICL stores a copy of each unexpired certificate it issued, certificate revocation lists (CRLs), and CA configuration documents. Configuration documents are generated when the certifier is created and signed with the certifier's public key. After creating these documents, They cannot be edited. CA configuration documents include: • Certificate profiles containing information about certificates issued by the

certifier. • A CA configuration document containing information about the certifier. • RA/CA association documents containing information about the RAs who are

authorized to approve/deny certificate requests. (There is one document for each RA).

• An ID file storage document containing information about the certifier ID. • The Certifier document which is created in the Domino Directory when the

certifier is set up. This document can be modified.

CRL database One of the big advantages to using the CA process for SSL is the CRL. A CRL is a

time-stamped list identifying revoked Internet certificates (only Internet certificates) -- for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier's ICL database. To find the list of revoked certificates, hold down the CTRL and SHIFT keys while opening the appropriate ICL database. The $RevokedCerts view contains a list of revoked certificates.

A copy of the CRL is also stored in the Domino Directory, where it is used to assert certificate validity by entities that require certificate authentication. Users wishing to check a CRL would access the CRL in the Domino Directory by opening the CA's certifier document.

CRLs can be used to manage the certificates issued in your organization. Certificates can easily be revoked if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. Internet Site documents can be used to configure Internet protocols on the Domino, and can also be used to enable CRL-checking for each protocol.


Last edited 7/28/2005 © IBM 2005 47

Administration of the CA Process, Continued

Configuring CRLs

The CRL is configured when a new Internet certifier is created. Administrators specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended.

CRL types There are two kinds of CRLs: regular and non-regular. For regular CRLs,

Administrators configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued.

However, in the event of a critical security break -- for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised – the administrator can manually issue a non-regular CRL -- that is, an unscheduled CRL -- to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. Use a Tell command to issue a non-regular CRL.

Purpose of a CA database

The original intent is for all applications to refer to this attachment for ca configuration information in order to support lockbox model of the certifier. Under the lockbox model, administrators can put the icl database and the ca process on a dedicated machine in a secure location. This machine is not connected to the network for ultimate security.

The attachment database in the certifier record does not contain the idstorage document. This database is a subset of what icl contains. It only contains the active set of CA configuration settings (RA-CAA association, and the certificate profile documents.) Changes occur on the icl database first, and then a request is dropped into admin4.nsf by the CA process. This request is processed and the certifier document is updated.

Last edited 7/28/2005 © IBM 2005 48

Overview – Administrator Roles

Introduction There are two types of administrators connected to the CA process:

• CAA- Certificate Authority Administrator • RA- Registration Authority

CA admins The CAA and RA roles are discussed below:

Admin Function CAA- Certificate Authority Administrator

The Domino certificate authority administrator (CAA) is responsible for these tasks: • Create and configure certifiers. • Modify certifiers. For example, only a CA administrator can

edit ID recovery information for a Notes certifier. • Add or remove CA and RA administrators, or change the

CA and RA roles assigned to users.

The CAA must have at least Editor access to the master Domino Directory for the domain. As a best practice, designate at least two CAAs for each certifier since the CAA is the “super power administrator” that manages the CA process. With two there is then a backup if one leaves the organization. By default, the administrator who creates a certifier is automatically designated as both a CAA and an RA for that certifier.

Note: In much of the client User Interface (such as the Modify Certifier Tool) the CAA is listed as the CA.

RA- Registration Authority

All certificate requests—Notes and Internet—must be signed by an authorized administrator, or RA, before the CA process will sign certificates. Remember that the RA does not need access to the certifier ID file; only the CA process needs to have access to the certifier ID file. Since there can be many RAs, more administrators can be granted rights without having to compromise the security of the certifier ID file. The Domino Registration Authority (RA) administrator is responsible for these tasks: • Register users, servers, and additional Notes certifiers • Approve or deny Internet certificate requests. • Revoke certificates if they can no longer be trusted, such as

if the subject of the certificate leaves the organization, or if the key has been compromised.

Note: RAs must have at least Author access to the master Domino Directory for the domain, with both the privilege "Create document" and role "User Creator" enabled. The RA has the access to handle day to day operations; registration of users, approve/deny certificate requests.

Last edited 7/28/2005 © IBM 2005 49

CA Commands

Introduction Administration of the CA process uses several console commands that are listed

here for your reference.

CA tell commands

To administer the CA process, use the following:

Command Result

tell ca quit Stops the CA process. tell ca stat Displays summary information for the certifiers using the CA

process; this includes the certifier's number, its hierarchical name, certifier type (Notes or Internet), whether it is active, and name of the ICL database:

tell ca show queue certifier number

Display a list of pending certificate requests, revocation requests, and configuration modification requests for a specific certifier, using its number from the results of the "tell ca status" command. Administrators can also use * to show this information for all certifiers that are using the CA process:

tell ca activate certifier number password

Activate a certifier if the certifier is created with "Require password to activate certifier," or use this for any certifier that has been deactivated. Activation is enabled during CA setup and creation. Activate a specific certifier by entering its number from the results of the 'tell ca status' command. Or unlock all server ID/password-protected certifiers at one time with this command by specifying "*" for the certifier number. The CA process then prompts for the password for each certifier.

tell ca deactivate certifier number

Deactivate a certifier. Use * to deactivate everything, or deactivate a specific certifier by entering its number from the results of the 'tell ca status' command.

tell ca lock idfile Lock all certifiers that were set up with a lock ID, as specified during CA setup.


Last edited 7/28/2005 © IBM 2005 50

CA Commands, Continued

CA tell commands (continued)

Command Result tell ca unlock idfile password

Unlock all certifiers using the ID and password that comprise the lock ID. The lock ID is specified during CA setup.

tell ca CRL issue certifier number

Issue a non-regular CRL for a specific certifier, where certifier number is the number of the certifier specified in the results of the "tell ca status" command:

tell ca CRL push certifier number

Push a certifier's latest regularly scheduled CRL to the Domino Directory, where certifier number is the number of the certifier specified in the results of the "tell ca status" command:

tell ca CRL info certifier number [s/S/n/N]

Display CRL information for a specified certifier, where certifier number is the number of the certifier specified by the 'tell ca status' command. Use s or S for regularly scheduled CRLs, and n or N for non-regularly scheduled CRLs:

tell ca refresh Force the CA process to refresh its list of certifiers. As a result: • newly configured certifiers will be added to the CA process • previously unlocked certifiers will need to be unlocked again• previously activated certifiers may need to be activated

again, if the activation password has changed • the Notes certifier ID file in idstorage will be updated with

the latest certificate information (IDStorage is the name of the document in the ICL database that holds the ID for the certifier.)

tell ca help List tell ca options

Last edited 7/28/2005 © IBM 2005 51

Adding Administrators to a Certificate

Introduction In some cases, Administrators may wish to add administrators to a certificate.

Adding admins to a certificate

To add a CAA or an RA to an existing CA based certificate:

Step Action

1 Switch to the Certificates view in the Configuration tab of the Administration client.

2 Open the certifier document and click Edit Certifier. Click Modify CA Configuration:

In the above example we added user “West Admin” to the CAA role.

3 Click on “Submit” and the new person is processed on the server console:

Note: There has been a reported issue that adminp rename is not updating the RAs or the CAAs in the ICL database. The RA loses ability to perform all functions unless they are removed and re-added to the list. For details, see Technote 1173494 in the Knowledge Base.

Last edited 7/28/2005 © IBM 2005 52

Disabling a Certifier

Introduction To disable an Internet certifier, remove it from the server-based CA Process.

Disabling Certifiers

To disable an Internet certifier:

Step Action

1 Using the Administration Client, switch to the Configuration tab and select the Certificates view.

2 Choose the certificate to be disabled and open it. 3 Click Edit Certifier or double-click the document to edit it. 4 Switch to the CA Configuration tab. Change the value in the “Process

Enabled” field to “No:”

5 Click Save & Close. 6 The change will take place automatically the next time the ca refresh

process runs (every twelve hours). To immediately apply the change, use the tell ca refresh command at the server console. Use tell ca status to see if the certifier has been removed- see below that the North certifier was removed, leaving only the West certifier:

7 This can also be confirmed this by opening the Certifier document. Once

the certifier is disabled, the CA Configuration tab is removed:

Last edited 7/28/2005 © IBM 2005 53

Enabling a Certifier

Introduction In some cases, Administrators may need to re-enable a disabled Internet certifier.

Enabling certifiers

To enable a disabled Internet Certifier:

Step Action

1 Using the Administration Client, switch to the Configuration tab and open the Certificates view.

2 Select the certificate that to disable and open it. 3 Click the Edit Certifier button. 4 Click Enable for CA Process:

5 At the dialog “CA Process is now enabled” click OK. 6 The change will take place automatically the next time the ca refresh

process runs (every twelve hours). To apply the change immediately, enter tell ca refresh at the server console. Use tell ca status to see if the certifier has been added to the list- see below that “North” is once again listed as active:

7 The CA Configuration tab again appears in the Certifier document:

Note: Adminstrators can also repeat the CA migration process to enable a certifier; however, this creates a new ICL database.

Last edited 7/28/2005 © IBM 2005 54

Revoking a Certificate

Introduction A CA administrator can easily revoke an Internet certificate if the subject of the

certificate leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never again be trusted. If Administrators revoke a certificate, especially if a key has been compromised, issue a non-regular CRL so that any entity checking CRLs has the most updated revocation information.

Revoking certificates

To revoke a certificate:

Step Action

1 From the Domino Administrator, select the Files tab. Open the ICL directory.

2 From the list of ICL databases, open the ICL for the certifier that issued the certificate to revoke.

3 Select the Issued Certificates\By Subject Name view. 4 Open the “Issued Certificate” document for the certificate to be revoked. 5 The document name is the same as the subject name. In this case we

will be revoking the certificate for Test User/DominoSix:

6 At the top of the document, click Revoke Certificate.

7 In the “Revocation Reason” dialog box, select the reason for revoking

the certificate, and click OK:


Last edited 7/28/2005 © IBM 2005 55

Revoking a Certificate, Continued

Revoking certificates (continued)

Step Action 8 The server console should indicate that the request has been processed:

9 Enter the command to issue a non-regular CRL – tell ca crl issue 2

10 In the administration Process database under Requests All requests by Server, the document called “Remove Certificate from Domino or LDAP Directory” indicates the certificate has been removed:

11 In the administration Process database under Certification Authority Requests Revocation Requests is a “RevocationCAAccepted” document for each revoked certifier:


Last edited 7/28/2005 © IBM 2005 56

Revoking a Certificate, Continued

Revoking certificates (continued)

Step Action 12 The next time the CA process refreshes, the Issued Certificate document

will be updated to indicate that the certificate has been revoked. When the Issued Certificate document is opened again, the Revocation Information section will indicate that the certificate has been revoked, the revocation date and time, the reason for the certificate's revocation, and date and time the certificate became invalid:

Note: Even publishing the non-regular CRL does not guarantee immediate revocation, because CRL users may continue to use cached copies of a CRL until it expires. It is important the administrators set a reasonable schedule for publication and expiration of CRLs. By default, Domino publishes a CRL on a daily basis, and each CRL has a lifetime of two days. Decreasing these intervals allows for more immediate revocation, at the cost of increased network and directory load as CRL caches are refreshed more often.

Last edited 7/28/2005 © IBM 2005 57

Removing a Certifier from the CA Process

Introduction There may be situations where Administrators will need to remove a certifier from the

CA process.

Removing certifiers

To remove a certifier from the CA process:

Step Action

1 At the server console issue the command tell ca quit. 2 In the Administration client select the Configuration tab. Select

Certificates Certificates and open the certifier certificate to be removed.

3 On the CA Configuration tab set “Process Enabled” to “No.” 4 (Optional) Delete the “CFG…” attachment from the certifier document. 5 From the Administration Client, select the Files tab and open the ICL

folder. Remove the corresponding ICL database by right-clicking the file name and selecting Delete database.

6 O the Files tab, right-cick the Certificate Requests database and select Delete database.

Note: To confirm if this is the correct database: Open the database and select the Database Configuration view. The common name of the certifier is in the Supported CA field:

7 To confirm the certifier has been removed from the CA process, issue

the command tell ca stat from the Domino server console. The certifier will not be present in the list.

Last edited 7/28/2005 © IBM 2005 58

Administration Tips

Introduction This section describes general tips for CA process administrators.

Modifying certifiers

There are two ways to modify a certifier. Both can only be done by a CAA: • Via certifier document. The only modification that can take place is that the CAA

and RA fields can be modified. • Via the administration client using Modify Certifier. Administrators can perform

any modifications using this method.

General tips Certificate requests in admin4.nsf can be marked not to be deleted. Administrators

may want to periodically archive those documents. When using the web client the password for tell ca unlock and tell ca activate commands are transmitted in plain text so it is a good idea to make sure that all communication is over SSL. For the error: Cannot locate user certificate. Make sure server contains your certificate for encryption during creating/migrating/modifying a certifier, check the Notes client Location document. The “Mail file location” should be Server, not Local.

Notes.ini settings

CA_REQUEST_POLL_INTERVAL= # of seconds, 10 seconds by default. Time waited before processing certificate requests, revocation requests, and modification to certifier requests. CRL_REQUEST_POLL_INTERVAL= # of seconds, 300 (or 5 minutes by default). The time between the scheduled running of the push and issue tell commands. CA_UPDATE_INTERVAL= # of hours, default is 12 Only works with Notes certifiers. In Notes, the certifiers keep track of the latest certificate tables for that certifier. May be some recovery information which could change.

Last edited 7/28/2005 © IBM 2005 59

Encrypting the Certifier ID

Introduction Administrators have three choices when choosing to encrypt a certifier ID:

• Server ID • Require password to activate • Locking ID

Server ID Encrypting with the Server ID is the lowest form of Security, but also the least

secure. There are no additional actions to activate or unlock the certifier. This is the option used earlier in this document.

Password to activate

This option has medium security. To require passwords for activation:

Step Action

1 Check the Require password to activate option and enter a password for the certifier:

2 At the server console, issue the commands:

tell ca refresh tell ca status The newly migrated certifier will be listed, however, it will not be active:

3 Use the command tell ca activate [ 3 ] password to activate the

certifier. Tell ca status shows that the certifier is active:

Note: Encrypting a certifier ID with the password protected Server ID option protects only that certifier. With a Locking ID, multiple certifiers can be protected.


Last edited 7/28/2005 © IBM 2005 60

Encrypting the Certifier ID, Continued

Locking ID Using a Locking ID provides the highest security for a certifier because it uses an

individual’s user ID and password to lock the certifier. To use a locking ID:

Step Action 1 Select the Locking ID radio button and click the Locking ID button:

2 Choose the user id to use to lock the certifier and click OK:

3 The user’s id appears next to the Locking ID button:

4 Switch to the server console and enter:

tell adminp process all tell ca refresh tell ca status

The certifier is present, but not active:


Last edited 7/28/2005 © IBM 2005 61

Encrypting the Certifier ID, Continued

Locking ID (continued)

Step Action 5 To make it active, enter:

tell ca unlock <idfile> <password>, where ID file is the full path to the file:

Note: With the Locking ID, all of the certifiers that were locked with that ID will activate all at once.

Last edited 7/28/2005 © IBM 2005 62

Removing Passwords for Certifier Activation

Introduction Administrators can configure the CA process to no longer require a password for

certifier activation.

Removing activation passwords

To remove the password for certifier activation:

Step Action

1 From the Administration client, click Modify Certifier in the Tools bar. 2 Choose the Issued Certificate List (“ICL”) database radio button and

then click Select:

3 Open the directory holding the ICL databases. Choose the ICL database for the certifier to be changed:

4 Once the database has been selected, the file name will show on the

Modify Certifier dialog:

Click OK.


Last edited 7/28/2005 © IBM 2005 63

Removing Passwords for Certifier Activation, Continued

Removing activation passwords (continued)

Step Action 5 The next screen shows the option choosen earlier for this certifier:

Change this option to Server ID and click OK. 6 Click Yes at the warning: “This process will modify the current certifier

information…” 7 Click OK on the “Success…” dialog. 8 The change made can be seen in the admin4.nsf Requests All

requests by Server view:

The next time the server is started the certifier should be activated without requiring a password. This also works with the Require Password to Activate option.

Last edited 7/28/2005 © IBM 2005 64

Renaming the ICL Database

Introduction In some situations it may be necessary to rename the ICL database.

Note: The Administrator will need Designer Access to rename the ICL database.

Renaming ICL To rename the ICL database:

Step Action 1 Shut down the CA process on the server using the command tell ca

quit. 2 In the Administration client, select the Configuration Tab, expand the

Certificates view and open the Certifier document. 3 Take note of the value in the “ICL Path” field on the CA Configuration

tab. It will be used in later steps:

The ICL Path field is a computed field and cannot be changed directly. It must be changed (the field type) in the Designer client.

4 Close the Certifier document. 5 Launch the Domino Designer client. 6 Open the Domino directory. 7 Open the form called Server/Certifier and go to the CA Configuration

tab. Change the value of the ICL Location field from computed to editable. Save the change and close the Designer client.

8 Switch to the Administration client. 9 Select the Configuration tab and expand the Certificates view. Open the

certifier document again. Enter the new name of the database in the ICL Path field.

10 Save and close the document. 11 In an Explorer window, browse to the location of the ICL database. 12 Using the name from the original ICL Path entry, rename the file. 13 Reload the CA process task using the command: Load ca. 14 The CA process should initialize the certifier and the process should be

complete. 15 In the Design client, change the ICL Location field from editable back to

computed. 16 Restart the Administration client to see the new database name under

the Files tab.

Last edited 7/28/2005 © IBM 2005 65

Confirming a CRL has run using the CA Process

Introduction There are several methods of confirming that the CRL has run using the CA process:

• The certifier document • The ICL database • The server console

Certifier document

In the Certifier document in the certficateRevocationList field. This information is not in a readable format, nor is there any tool to annotate or translate that information.

ICL database To see the CRLs that have been processed, navigate to the ICL directory (by default

Lotus >> Domino >> data >> icl) and hold down the CNTR & Shift keys when opening the ICL database. In a view called $CRLView there is a list of all of the CRLs. In the first column a "1" means the CRL was a scheduled CRL. A "2" in that column indicates a non-regular CRL was issue. The second column has the date and time of the CRL.

Server console

The server console can also be used to view the most recent CRL using the server console command "tell ca CRL info [certifier number] [s/S/n/N]." Assuming that the CRL is issued for is the second certifier listed in a tell ca status, then: Use "tell ca crl info 2 s" to view the most recent scheduled CRL. The "s" or "S" stands for "scheduled." The output from the console looks like this: > tell ca crl info 2 s 03/17/2005 01:55:21 PM CA show latest scheduled CRL for CN=North: 03/17/2005 01:55:21 PM Issue Date: 03/16/2005 04:06:27 PM 03/17/2005 01:55:21 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM Use "tell ca crl info 2 n" to view the most recent non-scheduled CRL. The "n" or "N" stands for non-scheduled. The output from the console looks like this: > tell ca crl info 2 n 03/17/2005 01:31:43 PM CA show latest non-scheduled CRL for CN=North: 03/17/2005 01:31:43 PM Issue Date: 03/17/2005 01:26:22 PM 03/17/2005 01:31:43 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM

Last edited 7/28/2005 © IBM 2005 66

Confirming Certificate Revocation

Introduction There are three ways to confirm that an Internet certificate has been revoked:

1. Open the ICL database for that certifier (by default in the

Lotus\Domino\data\icl directory.) In the Issued Certificates By Subject Name view, find the revoked person's name and open their document. Examine the "Revocation Information" section of the document. If there is a checkmark in the "This certificate has been revoked" field, the certificate has been revoked.

2. Open the ICL database while holding down the CTRL and Shift keys. A view called $RevokedCerts will have all of the revoked Internet certificates in a time/date format.

3. At the server console displays up to ten revoked certificates at one time by issuing the command: "tell ca CRL info [certifier number] [s/S/n/N]"

Console commands

Assuming that the issued a CRL for is the second certifier listed in a tell ca status, then: • Use "tell ca crl info 2 s" to view up to ten revoked certificates from a regularly

scheduled CRL. The "s" or "S" stands for "scheduled:" > tell ca crl info 2 s 03/17/2005 01:55:21 PM CA show latest scheduled CRL for CN=North: 03/17/2005 01:55:21 PM Issue Date: 03/16/2005 04:06:27 PM 03/17/2005 01:55:21 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM 03/17/2005 01:55:21 PM 1 Revoked Certificate: 03/17/2005 01:55:21 PM 0. Certificate #: 6d4081b52027b0bcd08e7b53072382e9d2cb9a8a

• Use "tell ca crl info 2 n" to view up to ten revoked certificates from a non-regularly

scheduled CRL. The "n" or "N" stands for "non-scheduled:" > tell ca crl info 2 n 03/17/2005 01:31:43 PM CA show latest non-scheduled CRL for CN=North: 03/17/2005 01:31:43 PM Issue Date: 03/17/2005 01:26:22 PM 03/17/2005 01:31:43 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM 03/17/2005 01:31:43 PM 2 Revoked Certificate: 03/17/2005 01:31:43 PM 0. Certificate #: 48ed9237a769bff0d14b3742887e2a5563cc240e 03/17/2005 01:31:43 PM 1. Certificate #: 583eb8f6857484e728b14673dbd52ad071506ff2

In the output, the Certificate # is the Serial Number from the Issued Certificate in the ICL database for the user.

Note: For information on revoking an Internet certificate, see the Domino Administrator help database.

Last edited 7/28/2005 © IBM 2005 67

Creating a Local Copy of the Certifier ID

Introduction For convenience, Administrators may wish to create a local backup copy of the

certifier ID. The purpose for backing up the certifier locally is that it can be used for recovery should error messages appear loading the CA process or entering the tell ca refresh command.

Create a local certifier

To create a local copy of the certifier ID:

Step Action

1 From the Domino Administrator client, select the Miscellaneous tab and click Create a local copy of the certifier ID:

2 Click Set ID File to specify the certifier ID file name and enter the password:

3 Click OK. 4 A copy of the certifier ID is saved to the default path:

\notes\data\ids\certs\cert.id , but Administrators can select a different path. Use this local copy of the certifier ID as a backup to re-create the certifier if it becomes corrupted.

Last edited 7/28/2005 © IBM 2005 68

Recovering a Certifier

Introduction In certain circumstances, Administrators may need to recover a certifier.

Recovering a Certifier

To recover a certifier:

Step Action

1 From the Administrator client, select the Configuration tab. 2 In the Tools pane, choose Certification Modify Certifier. 3 Select the CA server from the list, and click OK. 4 Select the certifier to recover by doing one of the following:

• Select the certifier document from the Domino Directory • Select the certifier ICL database

5 Administrators may be prompted for the certifier ID and password. Enter

the path and filename for the local copy of the ID created when the certifier was first set up, and click OK.

Note: The prompt for the certifier ID occurs only if the certifier determines that it cannot proceed without it.


Last edited 7/28/2005 © IBM 2005 69

Recovering a Certifier, Continued

Recovering a Certifier (continued)

Step Action 6 In the “Certifier CN=Recover” dialog, confirm that the certifier information

is correct:

7 Click OK and click Yes when asked to modify the certifier:

8 Click OK when the certifier is successfully modified:

Note: If the certifier is still having problems -- for example, configuration documents are corrupted or missing -- replace the ICL database with the back up copy. The location of the ICL database is specified in the certifier document.

Last edited 7/28/2005 © IBM 2005 70

Self-service resources on the web:

Lotus software support

The Lotus software support web site provides content to help you troubleshoot issues, plan deployments, and subscribe to product news. You can even submit and track problems with your IBM Customer Number. http://www.ibm.com/software/lotus/support

Lotus Domino support page

This product support page offers the latest troubleshooting resources, patches, product Flashes, and other important content specific to Lotus Domino. http://www.ibm.com/software/lotus/support/domino/support.html

developerWorks: Lotus

This page offers IBM’s technical resources for Lotus Domino developers, such as articles. developerWorks: Lotus http://www.ibm.com/developerworks/lotus Notes and Domino http://www.ibm.com/developerworks/lotus/products/notesdomino

Notes/Domino 6 discussion forum

The Notes/Domino 6 discussion forum is an excellent source of information regarding Notes and Domino issues. The questions and answers posted by your peers can be quite helpful when you are researching an issue, sometimes preventing the need to submit a problem to software support! http://www.lotus.com/ldd/nd6forum.nsf

Product documentation

The documentation web page offers the latest Release Notes, Help files, White Papers, etc. for Lotus Domino. http://www.lotus.com/ldd/notesua.nsf/find/domino

Documents

CA Process