Administering a Domino CA

There are a number of tasks associated with managing a certifier. If you implement a certifier that uses the
CA process, you can delegate Notes and Internet certificate request approval and denial to other
administrators, each of whom acts as a registration authority.
Note any of the manual tasks associated with managing a CA prior to !omino " are now automated
when you use the CA process.
Domino certificate authority administrator tasks
The !omino certificate authority administrator #CAA$ is responsible for these tasks%
Create and configure certifiers.
odify certifiers. &or e'ample, only a CA administrator can edit I! recovery information for a
Notes certifier.
Add or remove Certification and (egistration Authority administrators, or change the CA and (A
roles assigned to users.
The CAA must have at least )ditor access to the master !omino !irectory for the domain.
As a best practice, designate at least two CAAs for each certifier. *ou then have a backup if one leaves the
organi+ation.
Note ,y default, the administrator who creates a certifier is automatically designated as both a CAA and an
(A for that certifier. -hen you create additional CAAs, they must be assigned the (A role in order to
register users.
Domino Registration Authority administrator tasks
A registration authority #(A$ administrator registers Notes users and !omino servers, approves or denies
Internet certificate requests, and, if necessary, revokes Internet certificates. -hile a CA administrator can
also be a registration authority, the main advantage of having a separate (A role is to offload these tasks
from the !omino and.or CA administrator. oreover, the !omino administrator can establish one or more
(As for each certifier enabled for the CA process.
An (A should approve only those requests that will be accepted by the certifier. The CA Configuration
document, stored in the CA/s IC0 database, describes what is acceptable.
!omino administrators who register Notes users should also be listed as (As for the Notes certifier.
If you are using the -eb Administrator client, you need to set up a server1based certification authority to
register Notes users. The -eb administrator, as well as the server on which the -eb Administrator database
resides, must be listed as an (A for that certifier.
The !omino (egistration Authority #(A$ administrator is responsible for these tasks%
(egister users, servers, and additional Notes certifiers
Approve or deny Internet certificate requests.
(evoke certificates if they can no longer be trusted, such as if the sub2ect of the certificate leaves
the organi+ation, or if the key has been compromised.
Note CAs and (As must have at least )ditor access to the master !omino !irectory for the domain.
Migrating a certifier to the CA process
To migrate an e'isting certifier to the CA process, you set up an Issued Certificate 0ist #IC0$ database and
configure its certificate duration. In addition, for Internet certifiers, you configure C(0 and key usage
information for the certificate.
3. &rom the !omino Administrator, click Configuration.
4. 5n the Tools pane, choose Certification 1 igrate Certifier.
6. In igrate Certifier dialog bo', click 7elect.
8. In the 9Chose I!.key ring file9 dialog bo', select the cert.id of the certifier you want to migrate.
Choose the certifier I! #C)(T.I!$ and click 7elect to migrate a Notes certifier.
Choose the certifier key ring file and click 7elect to migrate an Internet certifier.
:. The certifier I!/s path and filename now appear in the igrate Certifier dialog bo'. )nter the password
for the certifier I! or key ring file and click 5;.
". If you are migrating a Notes certifier, complete the procedure 9To migrate a Notes certifier.9 5therwise,
see the procedure 9To migrate an Internet certifier.9
To migrate a Notes certifier
3. 5n the ,asics tab, complete these fields%
Field Action
7elect the server where the certifier will run 7elect the server that will store the migrated certifier.
ake sure that the client location document points to
this server.
Name of IC0 database to be created #5ptional$ IC0s are created automatically when you
create a certifier, and named by default. *ou can
modify the default name #for e'ample%
9icl<icl=Acme.nsf9 for the Acme certifier$.
Note Although you can change the location of the IC0,
it is recommended that you use the default directory
and path.
4. &or 9)ncrypt Certifier I! with,9 choose one%
Option Security level ass!ord re"uired Action re"uired
)ncrypt I! with 7erver I! 0owest None None
)ncrypt I! with 7erver I! edium )nter a new password for
this certifier
If you choose to encrypt the
certifier I! with the server I! and
password, you need to activate the
certifier. >se the tell command%
tell ca activate ?password@
)ncrypt I! with 0ock I! Aighest (egistered user I! and
password
If you choose to encrypt the
certifier I! with a lock I!, the
certifier is locked when you create
it. >se the tell command%
tell ca unlock ?idfile@?password@
Note )ncrypting a certifier I! with the password1protected 7erver I! protects only that certifier. If
you use a lock I!, you have the option of using it with multiple certifiers. *ou then need to lock
and unlock those certifiers simultaneously.
6. #5ptional$ In the Administrators list, enter names of additional CAAs and (As. The name of the
administrator migrating the CA is automatically included in the list as both a CAA and an (A.
8. 5n the Certificates tab, complete these fields%
Field Action
Certificate duration for ))
certificate
)nter the default, minimum, and ma'imum duration, in months, for an end1
entity #))$ certificate. An end1entity certificate is granted to servers or end
users.
Certificate duration for CA
certificate
)nter the default, minimum, and ma'imum duration, in months, for an
certificate authority #CA$ certificate. A CA certificate is granted to
certifiers.
:. Click 5;. A message appears saying that you have successfully migrated the certifier.
". Add the certifier to the CA process.
To migrate an #nternet certifier
3. igrate the key ring file.
4. Complete the igrate Certifier dialog as described in the procedure To create an Internet certifier later in
this chapter.
Adding a certifier to the CA process
-hen you create a certifier specifically for the CA process, you must make sure that the CA process task is
running on the server. To manage the CA process, you use Tell commands at the server console.
To add a certifier to the CA process
3. ake sure that you have already migrated or created a certifier.
4. If this is the first certifier you are setting up to use the CA process, or if the CA process is not already
running, at the server console enter%
load ca
6. If the CA process task is already running, it automatically adds newly1created certifiers when it refreshes,
which takes place every 34 hours. Aowever, the time period in which the Administration (equests database
processes CA requests will vary. If you want to hasten the process, at the console enter%
tell adminp process all
tell ca refresh
And then enter the following to see if the new certifier has been added%
tell ca stat
Note To load the CA task automatically, add the parameter ca to the 7erver setting in the N5T)7.INI file.
$ie!ing certifiers running under the CA process
*ou can view a list of all the certifiers running under the CA process. At the server console type%
tell ca status
The server returns a list of all certifiers using the CA process and their current status. The number
associated with each certifier is used in some CA Tell commands.
&or e'ample%
3B.44.4BB3 B4%6C%34 pm CA Drocess status%
3B.44.4BB3 B4%6C%34 pm 3. 5EAcme
3B.44.4BB3 B4%6C%34 pm Certifier type% Notes
3B.44.4BB3 B4%6C%34 pm Active% *es
3B.44.4BB3 B4%6C%34 pm IC0 !, Dath% icl<icl=Acme.nsf
3B.44.4BB3 B4%6C%34 pm 4. CNE)ast.5EAcme.7TEassachusetts.CE>7
3B.44.4BB3 B4%6C%34 pm Certifier type% Internet
3B.44.4BB3 B4%6C%34 pm Active% *es
3B.44.4BB3 B4%6C%34 pm IC0 !, Dath% icl<icl=)ast.nsf
Domino server%&ased certification authority
*ou can set up a !omino certifier that uses a server task, the CA process, to manage and process certificate
requests. The CA process runs as an automated process on !omino servers that are used to issue
certificates. -hen you set up a Notes or Internet certifier, you link it to the CA process on the server in
order to take advantage of CA process activities. 5nly one instance of the CA process can run on a serverF
however, the process can be linked to multiple certifiers.
*ou can set up Notes and Internet certifiers to use the CA process.
Consider using the CA process &ecause it'
Drovides a unified mechanism for issuing Notes and Internet certificates.
7upports the registration authority #(A$ role, which you use to delegate the certificate
approval.denial process to lower1echelon administrators in the organi+ation.
!oes not require access to the certifier I! and I! password. After you enable certifiers for the CA
process, you can assign the registration authority role to administrators, who can then register
users and manage certificate requests without having to provide the certifier I! and password.
7implifies the Internet certificate request process through a -eb1based certificate request
database.
Issues certificate revocation lists, which contain information about revoked or e'pired Internet
certificates.
Creates and maintains the Issued Certificate 0ist #IC0$, a database that contains information about
all certificates issued by the certifier.
Is compliant with security industry standards for Internet certificates 11 for e'ample, G.:BH and
D;IG.
To manage the CA process from the !omino console,
Certificate Authority process tell commands
This table describes additional Tell commands you can use with the !omino CA process.
Command Result
tell ca quit 7tops CA process.
tell ca stat !isplays summary information for the certifiers using the CA processF this includes
the certifier/s number, its hierarchical name, certifier type #Notes or Internet$, whether
it is active, and name of the IC0 database.
tell ca show queue
certifier number
!isplay a list of pending certificate requests, revocation requests, and configuration
modification requests for a specific certifier, using its number from the results of the
9tell ca status9 command. *ou can also use I to show this information for all certifiers
that are using the CA process.
tell ca activate
certifier number
password
Activate a certifier if the certifier is created with 9(equire password to activate
certifier,9 or use this for any certifier that has been deactivated. Activation is enabled
during CA setup and creation. Activate a specific certifier by entering its number
from the results of the /tell ca status/ command. 5r you can actually unlock all server
I!.password1protected certifiers at one time with this command, if you specify 9I9
for the certifier number. The CA process then prompts you for the password for each
certifier.
tell ca deactivate
certifier number
!eactivate a certifier. *ou will need to activate it again in order for it to process any
request. >se I to deactivate everything, or deactivate a specific certifier by entering
its number from the results of the /tell ca status/ command.
tell ca lock idfile 0ock all certifiers that were set up with a lock I!, as specified during CA setup.
tell ca unlock idfile
password
>nlock all certifiers using the I! and password that comprise the lock I!. The lock
I! is specified during CA setup.
tell ca C(0 issue
certifier number
Issue a non1regular C(0 for a specific certifier, where certifier number is the number
of the certifier specified in the results of the 9tell ca status9 command.
tell ca C(0 push
certifier number
Dush a certifier/s latest regularly scheduled C(0 to the !omino !irectory, where
certifier number is the number of the certifier specified in the results of the 9tell ca
status9 command.
tell ca C(0 info
certifier number
Js.7.n.NK
!isplay C(0 information for a specified certifier, where certifier number is the
number of the certifier specified by the /tell ca status/ command. >se s or 7 for
regularly scheduled C(0s, and n or N for non1regularly scheduled C(0s.
tell ca refresh &orce the CA process to refresh its list of certifiers. As a result%
newly configured certifiers will be added to the CA process
previously unlocked certifiers will need to be unlocked again
previously activated certifiers may need to be activated again, if the
activation password has changed
the Notes certifier I! file in idstorage will be updated with the latest
certificate information
tell ca help 0ist tell ca options
Issued Certificate 0ist #IC0$
)ach certifier has an Issued Certificate 0ist #IC0$ that is created when the certifier is created or migrated to
the CA process. The IC0 is a database that stores a copy of each une'pired certificate that it has issued,
certificate revocation lists, and CA configuration documents. Configuration documents are generated when
you create the certifier and sign it with the certifier/s public key. After you create these documents, you
cannot edit them.
CA configuration documents include%
Certificate profiles, which contain information about certificates issued by the certifier.
CA configuration document, which contains information about the certifier itself.
(A.CA association documents, which contain information about the (As who are authori+ed to
approve and deny certificate requests. There is one document for each (A.
I! file storage document, which contains information about the certifier I!.
Another CA configuration document, the Certifier document, is created in the !omino !irectory when you
set up the a certifier. This document can be modified.
Certificate Revocation (ist )CR(*
A C(0 is a time1stamped list identifying revoked Internet certificates 11 for e'ample, certificates belonging
to terminated employees. The CA process issues and maintains C(0s for each Internet certifier. A C(0 is
associated with a certifier, is signed by that certifier, and resides in the certifier/s IC0 database. A copy of
the C(0 is also stored in the !omino !irectory, where it is used to assert certificate validity by entities that
require certificate authentication.
*ou configure the C(0 when you create a new Internet certifier. *ou can specify the length of time for
which a C(0 is valid and the interval between publication of new C(0s. After C(0s are configured, the
certifier issues them on a regular basis and they operate unattended.
>sing C(0s, you can manage the certificates issued in your organi+ation. *ou can easily revoke a
certificate if the sub2ect of the certificate leaves the organi+ation or if the key has been compromised. ATTD
servers and -eb browsers check the C(0s to determine whether a given certificate has been revoked, and
is therefore no longer trusted by the certifier. -hen you use Internet 7ite documents to configure Internet
protocols on the !omino, you can also enable C(01checking for each protocol.
There are two kinds of C(0s% regular and non1regular. &or regular C(0s, you configure a duration interval
11 the time period for which the C(0 is valid 11 and the interval at which new C(0s are issued. )ach
certifier issues a C(0 at the specified time, even if no certificates have been revoked since the last C(0
was issued. This means that if an administrator revokes a certificate, it appears in the ne't scheduled C(0
issued by the certifier. The C(0 duration period should be greater than the time period between each C(0
issuance. This ensures that the C(0 remains valid. 5therwise, the C(0 could e'pire before a new one is
issued.
Aowever, in the event of a critical security break 11 for e'ample, if the administrator needs to revoke a
particularly powerful certificate or the certifier certificate is compromised 11 you can manually issue a non1
regular C(0 1 that is, an unscheduled C(0 1 to enforce the emergency revocation. This type of revocation
does not affect either the timing or the content of the ne't scheduled C(0. *ou use a Tell command to issue
a non1regular C(0.
Revoking a certificate
A CA administrator can easily revoke an Internet certificate if the sub2ect of the certificate leaves the
organi+ation, or if the key has been compromised. After a certificate is revoked, it can never again be
trusted.
If you revoke a certificate, especially if a key has been compromised, issue a non1regular C(0 so that any
entity checking C(0s has the most updated revocation information.
To revoke a certificate
3. &rom the !omino Administrator, click &iles. 5pen the IC0 directory.
4. &rom the list of IC0 databases, open the IC0 for the certifier that issued the certificate you need to
revoke.
6. 5pen the Issued Certificates<,y 7ub2ect Name view.
8. 5pen the Issued Certificate document for the certificate you want to revoke.
The document name is the same as the sub2ect name.
:. At the top of the document, click 9(evoke Certificate.9
". In the (evocation (eason dialog bo', select the reason for revoking the certificate, and click 5;.
L. Issue a non1regular C(0.
The ne't time the CA process refreshes, the Issued Certificate document will be updated to indicate that the
certificate has been revoked. -hen you open the Issued Certificate document again, the (evocation
Information section will indicate that the certificate has been revoked, the revocation date and time, the
reason for the certificate/s revocation, and date and time the certificate became invalid.