Sie sind auf Seite 1von 70

The CA Process In Notes/Domino 6

Last edited 7/28/2005

IBM 2005

Table of Contents

Overview - The Domino Server-based Certification Authority ......................................... 3 Option One - Migrating a Domino certifier to the CA process .......................................... 4 Loading the CA Process after Migration ............................................................................ 7 How to use the CA Process to Register Users .................................................................... 9 Common Errors that Occur using the CA Process............................................................ 11 Option Two - Creating an Internet Certifier with the CA process.................................... 13 Setting up the Certification Requests Database ................................................................ 17 Setting up the Key Ring and Merging the Internet Certificate ......................................... 19 Manually Processing Requests ......................................................................................... 22 Configuring the HTTP Server for SSL ............................................................................. 27 Installing the Client Certificate for SSL ........................................................................... 32 Testing the Client Certificate ............................................................................................ 38 Option Three - Migrating an R5 Internet Certifier to the CA Process.............................. 40 Option Four Using the CA Process with S/MIME ........................................................ 43 Administration of the CA Process .................................................................................... 46 Overview Administrator Roles ...................................................................................... 48 CA Commands.................................................................................................................. 49 Adding Administrators to a Certificate............................................................................. 51 Disabling a Certifier.......................................................................................................... 52 Enabling a Certifier........................................................................................................... 53 Revoking a Certificate ...................................................................................................... 54 Removing a Certifier from the CA Process ...................................................................... 57 Administration Tips .......................................................................................................... 58 Encrypting the Certifier ID ............................................................................................... 59 Removing Passwords for Certifier Activation.................................................................. 62 Renaming the ICL Database ............................................................................................. 64 Confirming a CRL has run using the CA Process ............................................................ 65 Confirming Certificate Revocation................................................................................... 66 Creating a Local Copy of the Certifier ID ........................................................................ 67 Recovering a Certifier....................................................................................................... 68 Self-service resources on the web:.................................................................................... 70

Last edited 7/28/2005

IBM 2005

Overview - The Domino Server-based Certification Authority


Introduction
The CA process is a Domino server task that is used to manage and process certificate requests. The CA process runs as an automated process on Domino servers that are used to issue certificates. A Notes or Internet certifier is linked to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.

Benefits of Domino CA process

Consider using the Domino CA process because it: Does not require access to the Domino certifier ID and ID password. After enabling certifiers for the CA process, Administrators can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password Supports the registration authority (RA) role, which Administrators use to delegate the certificate approval/denial process to lower-echelon administrators in the organization Provides a unified mechanism for issuing Notes and Internet certificates Simplifies the Internet certificate request process through a Web-based certificate request database Issues certificate revocation lists, which contain information about revoked or expired Internet certificates Creates and maintains the Issued Certificate List (ICL), a database that contains information about all certificates issued by the certifier Is compliant with security industry standards for Internet certificates -- for example, X.509 and PKIX

CA process steps

There are four basic options when configuring the CA process: Option One: Migrating a Notes/Domino Certifier to the CA process Option Two: Creating an Internet Certifier with the CA process Option Three: Migrating an R5 Internet Certifier to the CA process Option Four: Using the CA process with S/MIME

Last edited 7/28/2005

IBM 2005

Option One - Migrating a Domino certifier to the CA process


Introduction
The first option when configuring the Domino server-based CA is to migrate the Domino certifier to the CA process.

Before you begin

Before performing the following steps to migrate a Domino certifier, Administrators must: Have at least one OU In this document the sample OU is called West/DominoSix Check the Location document in the Domino Administration client to make sure that the Home/Mail Server field is set to the server on which is being configured for the CA process Check the Advanced tab of the ACL for the Domino Directory (names.nsf) and for the Administration Requests database (admin4.nsf) to make sure the server is listed as the Administration Server for both databases Note: If the Administration Server is incorrect for either database, this error will occur on the server console: Admin Process: Received the following error performing a Modify CA configuration in Domino Directory request on <servername>. A person document for either the requests signer or the Names(s) acted upon was not found in any local trusted directories for which this server is the Administration Server.

Migrate the certifier

To migrate the certifier:

Step 1 2 3 4

Action In the Domino Administration client, select the Configuration tab. Expand the Tools pane and select Certification Migrate Certifier. In the Migrate Certifier dialog, click the Select button and choose the certifier id file for the OU to be migrated. Click OK. The ID path and filename should appear in the Migrate Certifier dialog:

Continued on next page

Last edited 7/28/2005

IBM 2005

Option One - Migrating a Domino certifier to the CA process,


Continued

Migrate the certifier (continued)


Step 5 6 Action Click OK and enter the certifiers password when prompted. In the Migrate OU dialog, select the Basics tab and enter the following information:

Field Label Select the server where this certifier will run on Name of the ICL database to be created

Encrypt certifier ID with

Sample Value Verify that this is the name of the server being used for configuring the CA process (Optional) The name of the ICL database that will be created can be changed to reflect the name of the certifier. There is no significance to the default name of the ICL database. Change this from Locking ID to Server ID.

In the Administrator(s) section of the Migrate OU dialog, click Add and add the servers name to the Administrators list:

Continued on next page

Last edited 7/28/2005

IBM 2005

Option One - Migrating a Domino certifier to the CA process,


Continued

Migrate the certifier (continued)


Step 8 9 Action After adding the server to the list of administrators, check the box for RA. This option will be used in later steps. Click OK. Click OK on Success dialog.

Last edited 7/28/2005

IBM 2005

Loading the CA Process after Migration


Introduction
After migrating the certifier to the CA process, load the CA process and use AdminP to process the migration request. To accomplish this, enter the following commands at the server console:
load tell tell tell ca adminp process all ca refresh ca status

Load ca

This command starts the CA process on the server. Administrators can also add ca to the ServerTasks= line of the notes.ini for the Domino server to load it automatically when the server is started. Note: When loading the CA Process, if an error message like the following appears on the console: CA Process ( servername/org ): No certifier configuration found for this server, the CA process cannot locate any certifiers for the CA process on this server.

Tell adminp process all

The Administration Process is crucial to the CA process task. After typing tell adminp process all, open the Administration Requests database (admin4.nsf). Select the All Requests by Server view and notice a document has been created to modify the CA configuration:

The response document (with the green checkmark) indicates that the request has been successfully processed by adminp.

Tell ca refresh

This command applies the changes without restarting the CA task.

Tell ca status

After entering the tell ca status command, the migrated certifier will be listed as a part of the CA process. [We will discuss the information given by the tell ca status later in this document.]

Continued on next page

Last edited 7/28/2005

IBM 2005

Loading the CA Process after Migration, Continued


Results of certifier migration
Before adminp processes the CA migration request, the Certifier document will look like this:

After the migration request is processed, a CA Configuration tab is added to the document:

Last edited 7/28/2005

IBM 2005

How to use the CA Process to Register Users


Introduction
Once Administrators have migrated the certifier and processed the migration request, the Notes Administration client or the Web Administration client can be used to register users with the CA process.

Using the Notes Admin client

To register users in the Notes Administration client:

Step 1 2 3

Action Expand the Tools pane on the Configuration tab of the Administration client. Expand Registration and select Person. If prompted for a password, click Cancel. Choose Use the CA Process and then select the certifier in the CA configured certifiers drop-down list. Click OK:

Note: Anyone with RA status for that certifier can then register a person without having access to a certifier ID.

Using the Web Admin client

To register a user using the Web Administration client:

Step 1 2

Action Launch a browser and enter the URL for the Web admin client: http://YourFullyQualifiedInternetServername/webadmin.nsf. Select the Configuration tab. Continued on next page

Last edited 7/28/2005

IBM 2005

How to use the CA Process to Register Users, Continued


Using the Web Admin client (continued)
Step 3 4 5 Action Expand the Tools pane. Expand Register and select Person. Choose the certifier and click OK. The Choose Certifier and Policy dialog allows Administrators to choose a CA certifier and an explicit policy:

Note: Notes users registered with the CA process are not documented in the CERTLOG.NSF database. The $UpdatedBy field in the Person document may contain their name, but the number of entries in that field is limited.

Last edited 7/28/2005

IBM 2005

10

Common Errors that Occur using the CA Process


Introduction
When using the CA process to register users, Administrators may encounter one of several common error messages.

RA errors

Using the Domino Web Administrator requires that both the Web Administrator and the server must be listed as RAs. Recall that we listed the server as an RA earlier in this module. If the server is not listed, this error message will appear:
Unable to perform registrations: You are a Registration Authority of the CA configured certifier /West/DominoSix, but the current server is not. In order to perform registrations, this server also needs to be trusted as an authorized Registration Authority.

If the Web Administrator is not listed, this error message appears:


Unable to perform registrations: You are not an authorize Registration Authority (RA) and cannot perform any registrations.

User errors

When registering a new person using the CA process, the certificate for the person will be attached to that users Person document in the Domino Directory. When the user attempts to log in, the new certificate is downloaded to the users ID file, completing the user registration. The user will be unable to successfully log in before the certificate has been issued, and any attempts to do so will result in this error message:
Server Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later.

Or if the user is trying to complete workstation setup, the error will be:
The encrypted data has been modified or the wrong key was used to decrypt it.

In both cases, administrators will need to keep in mind that the CA process has to run, the Administration process (the Recertify user in the Domino Directory request) has to run, and replication must take place to the proper Domino Directories. Continued on next page

Last edited 7/28/2005

IBM 2005

11

Common Errors that Occur using the CA Process, Continued


Misc errors
There is a situation where all of the required processes appear to complete, but users still receive these error messages trying to connect:
Server Error: Your certificate was found to be invalid. local log for details. Check your

-orServer Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later.

This situation can arise when many users are registered and the administration process completes before the Person document is updated. See Technote 1174391 for details.

Last edited 7/28/2005

IBM 2005

12

Option Two - Creating an Internet Certifier with the CA

process
Introduction
The second option when configuring the CA process is to create an Internet certifier. After creating the Internet certifier, the server must be configured to use the certifier. This process involves the following: Creating the certificate requests database Creating the server key ring file and merging the Internet certificate Configuring the HTTP server for SSL access Installing the Client certificate for SSL

Overview Internet certifiers

A certificate authority (CA) is the link that allows a server and client to use SSL to communicate and to use S/MIME to exchange mail. Like a mutual friend, a CA vouches for the identity of a server and client by issuing Internet certificates that are stamped with the CAs digital signature. The digital signature ensures the client and server that both the client certificate and the server certificate can be trusted. If the client and server authenticate that is, identify the digital signature on the certificate they can establish a secure SSL session or exchange a secure S/MIME message. If the client and server cannot authenticate each other, they cannot establish a secure session or exchange a secure message. The server certificate must contain the CA certificate as a trusted root. The trusted root allows servers and clients that have a common CA certificate to communicate. Before merging a server certificate signed by a CA, merge the CA certificate into the key ring file as a trusted root.

Before you begin

Before creating an Internet certifier with the CA process, check the following: The server should be listed as the Administration server in the Advanced tab of the ACL in the Domino Directory and the Administration Requests database (admin4.nsf) On the Basics tab of the server document, make sure that the field Fully qualified Internet host Name is correct, for example, server1.acme.com.

Creating an Internet Certifier

To create an Internet certifier with the CA process:

Step 1 2

Action From the Administration client, select the Configuration tab. Expand the Tools pane, expand Registration and select Internet Certifier. Continued on next page

Last edited 7/28/2005

IBM 2005

13

Option Two - Creating an Internet Certifier with the CA process, Continued


Creating an Internet Certifier (continued)
Step 3 Action In the Register Internet Certifier dialog, choose, I want to register a new Internet certifier that uses the CA process:

4 5

Click OK. In the Register New Internet Certifier dialog, click Create Certifier Name:

Continued on next page

Last edited 7/28/2005

IBM 2005

14

Option Two - Creating an Internet Certifier with the CA process, Continued


Creating an Internet Certifier (continued)
Step 6 Action In the next dialog box, enter a value in the Common Name field, for example, North and click OK:

The rest of the fields are not required. If they are filled out, they make the name of the certifier more complex. Note: A more complex name might be used for specifying different locations for one company. For example, all the certifiers might have the same Common Name, but the Organization Unit, City or Locality, State or Province, or Country might be different. This Creating certifier dialog should reappear with the name of the certifier in the title bar, such as: Creating certifier (CN=North). Change the Encrypt certifier ID with field to Server ID. Make sure that your administrator is listed as an RA and CA:

7 8

Continued on next page

Last edited 7/28/2005

IBM 2005

15

Option Two - Creating an Internet Certifier with the CA process, Continued


Creating an Internet Certifier (continued)
Step 9 Action Click OK and a dialog indicating successful creation of the certifier should appear. Click OK.:

10

Open the Administration Requests database (admin4.nsf) and expand the All requests by server view. There should be a newly created document for the certifier under Modify CA Configuration in Domino Directory. When opened, the document should look like the following:

11

Close admin4.nsf and enter the following commands at the server console:
Tell adminp process all Tell ca refresh Tell ca status

Results creating and Internet certifier

There should now be two certifiers listed as part of the CA process. The status command gives us the information we need to identify the certifiers within the CA process. Each certifier has a number which is used for many of the tell commands. For more information, see the section in this document called Certificate Authority Process Tell Commands. For example:

The first certifier is the West certifier. It is a Notes certifier that has been migrated to the CA process. The third line indicates that the certifier is active. The fourth line gives the path and database name for the ICL database related to this particular certifier. Also listed is the certifier just created, North, which is of certifier type Internet.

Last edited 7/28/2005

IBM 2005

16

Setting up the Certification Requests Database


Introduction
A Certification Request database is needed in order to use the Internet certificate just created.

Creating the request database

To create the certification request database:

Step 1 2

Action From the Administration client choose File Database New. Enter the following in the Specify New Database Name and Location section of the New database dialog: Field Label Server Title File name Sample Value Choose the server. Enter a database title, for example, Certificate Requests for North. Enter a database file name, for example, certreqNORTH.nsf. Keep in mind that each certifier must have its own database so the file name should be easily identifiable.

Enter the following in the Specify Template for New Database section of the New database dialog: Field Label Server Template Sample Value Choose the server. Select the Show advanced templates option and select Certificate Requests (6).

4 5 6

Click OK. Close the About this database document. Enter the following information in the Database Configuration document: Field Label Server Certifier Supported Certificate types Extended key usages Requesting Process Sample Value Your hierarchical server name CN=North Both client and server certificates

Server and client authentication Manual (So that we can step through the RA approval function)

Continued on next page

Last edited 7/28/2005

IBM 2005

17

Setting up the Certification Requests Database, Continued


Creating the request database (continued)
Step Field Label Mail confirmation 7 Action Sample Value No

Save and close the document.

Note: This page contains client certificates that by default are issued for only one year. Administrators may wish to extend this time period.

Last edited 7/28/2005

IBM 2005

18

Setting up the Key Ring and Merging the Internet Certificate


Introduction
After creating the certificate request database, the next step is to set up the server key ring file.

Create a key ring

To create a key ring file:

Step 1

2 3

Action Open the Domino administration client, select the Files tab and locate the Certification Requests database, for example, certreqNorth.nsf. Open the database. Expand the view Domino Key Ring Management and select Create Key Ring. Enter the following properties in the Create Key Ring document:

Field Label Key Ring File Name Key Ring Password Key Size Common Name Organization

Sample Value Keyfile.kyr password 1024 Strider.austin.ibm.com DominoSix

Note: The remaining fields on the form are optional. Click Create Key Ring. Continued on next page

Last edited 7/28/2005

IBM 2005

19

Setting up the Key Ring and Merging the Internet Certificate,


Continued

Create a key ring (continued)


Step 5 Action A success dialog should appear once the key ring is created. Click OK.

Note: By default, the key file is created in the data directory of the client, not the server. Those files will be moved to the server later in this document. After clicking OK, there will be a prompt to merge the Internet certificate into the key ring. Confirm that the information is correct and click OK:

Continued on next page

Last edited 7/28/2005

IBM 2005

20

Setting up the Key Ring and Merging the Internet Certificate,


Continued

Create a key ring (continued)


Step 7 Action The next prompt indicates that the certificate was merged into the key ring. Click OK.

Click OK at the dialog containing the message: Certificate Request Successfully Submitted for Key Ring.

Last edited 7/28/2005

IBM 2005

21

Manually Processing Requests


Introduction
When creating the Certificate Requests database the manual option was selected in the Request Processing field in the database configuration document. After merging the certificate, the request must be manually processed.

Processing Requests

To manually process the certificate request:

Step 1 2

Action Open the Certification Request (certreqNorth.nsf) database. Expand the Submitted/Waiting for Approval view. A pending Server Request should appear. Press F9 if it is not visible:

3 4 5

Select the document and click Submit Selected Requests. Click OK at the dialog: Successfully submitted 1 request(s) to the Administration Process. Examine the Server Request. It should have a status of submitted:

6 7 8

Open to the Administration Requests database (admin4.nsf). Make sure the CA process is loaded on the server. Expand the Certification Authority Requests view and select Certificate Requests:

Edit the document and click Approve Request:

Note: This step has to be performed by someone that has been granted RA access to this Internet Certifier. Continued on next page

Last edited 7/28/2005

IBM 2005

22

Manually Processing Requests, Continued


Processing Requests (continued)
Step 10 11 Action The status of the document in admin4.nsf should change from New to Approved. The server console should indicate that a request was processed and the document in admin4.nsf should change from Approved to Issued: Open the Certificate Request (certreqNorth.nsf) database and select the Submitted/Waiting for Approval view. Select the document and click Pull Selected Requests. A cross certification request will appear. If the defaults are accepted, an Internet Cross Certificate will be created in your local address book. Click Cross Certify:

12 13 14

Note: The reason for the cross certify request is that the document signature is not the Organization (DominoSix), but rather the Internet Certifier, North. Notes always checks document signatures, so unless the Internet Cross Certificate is in your local address book, the prompt for the cross certificate will occur each time an attempt is made to use the North certifier. The first time this is accessed, Administrators may want to choose the appropriate Domino certifier for your server. The Internet Cross Certificate will then be dropped into the Domino Directory and any administrator that might need the cross certificate can download it by using Actions Retrieve Certificates from Home Server in the Notes client. Continued on next page

Last edited 7/28/2005

IBM 2005

23

Manually Processing Requests, Continued


Processing Requests (continued)
Step 15 Action Once the cross certification process has been completed, the request will be pulled from the Administration database:

16

To see the certificate in your address book, open the local address book, expand the Advanced view and select the Certificates view:

17

Open the Issued/Rejected view of the Certification Requests database. Locate the Server request document:

18

Open the document and copy the Request ID to the clipboard:

19

In the same database, choose Domino Key Ring Management Pickup Key Ring Certificate. Continued on next page

Last edited 7/28/2005

IBM 2005

24

Manually Processing Requests, Continued


Processing Requests (continued)
Step 20 Action Enter the key ring file name and password, paste the pickup ID, and click Pickup Certificate:

21

Verify the information in the Merge Signed Certificate Confirmation dialog and click OK:

22

Once the certificate is merged a success dialog appears.

Continued on next page

Last edited 7/28/2005

IBM 2005

25

Manually Processing Requests, Continued


Processing Requests (continued)
Step 23 Action Transfer the keyfile.kyr and keyfile.sth files from the data directory of the client to the data directory of the server.

Last edited 7/28/2005

IBM 2005

26

Configuring the HTTP Server for SSL


Introduction
After processing the certificate request, the next step is to enable SSL on the server.

Enabling SSL

To enable SSL on the server: Step 1 2 Action In the Administration Client, select to the Configuration tab. Expand Server and select Current Server Document. Edit the document and select Ports Internet Ports. By default, the file name keyfile.kry should be already filled out. Enter values on the Web tab as in the example below:

Switch to the server console and enter the command: tell http restart.

Verifying SSL

To verify the SSL configuration: 1 2 Create a database on the server with the file name of web.nsf. Use the discussion or document library templates. When the database opens, check the ACL and make sure that Anonymous is set to No Access. Give at least Author access to a user for this test. Continued on next page

Last edited 7/28/2005

IBM 2005

27

Configuring the HTTP Server for SSL, Continued


Verifying SSL (continued)
3 Close the database and try to open it with a browser using https with a URL like the following: https:\\FullyQualifiedInternetHostName\web.nsf. Note: The steps in this section assume you are using Microsoft Internet Explorer. A prompted to accept the Internet certificate will appear:

Click View Certificate to see that it is from North:

Continued on next page

Last edited 7/28/2005

IBM 2005

28

Configuring the HTTP Server for SSL, Continued


Verifying SSL (continued)
Step 6 Action Click Install Certificate. Note: Keep in mind that this certificate will only be in this browser on this particular machine. The certificate will have to be imported to each browser on every machine that is used. If this option is unacceptable or if importing Internet certificates into the Notes client is an option, see the Domino on-line Help topic: Exporting and importing Internet certificates. At the Welcome to the Certificate Import Wizard dialog, click Next. Choose Automatically select the certificate store based on the type of certificate:

7 8

9 10 11

At the Completing the Certificate Import Wizard dialog, click Finish. Click OK on the message: The import was successful. Click Yes on the Security Alert:

Continued on next page

Last edited 7/28/2005

IBM 2005

29

Configuring the HTTP Server for SSL, Continued


Verifying SSL (continued)
Step 12 Action Click Yes to be prompted for the name and password of the user:

13 14

Enter the name and password and click OK. When using certain templates (for example, the discussion or document library templates) a Security Information dialog will appear:

15

To see the padlock in the browser to prove that SSL is working, click No. Otherwise, click Yes, which means that some of the information on the page will not be encrypted. The view for the database should appear and, depending on which JVM is being used, users may receive this dialog (for the Microsoft JVM, there would be no prompt):

Continued on next page

Last edited 7/28/2005

IBM 2005

30

Configuring the HTTP Server for SSL, Continued


Verifying SSL (continued)
Step 19 Action Click More Details to see detailed information about this request:

20 21

Click Close to accept the certificate into the JVM and then click Always on the previous dialog box which will reappear. It is possible to receive more requests to trust certifiers depending on the JRE that is being used. Once the users have accepted those requests, the SSL connection will be made.

Note: When only Server Authentication is enabled on the Domino server, the servers identity is authenticated by a client, but the clients identity is not authenticated by the server. For the Internet client to authenticate the servers identity, the client checks the public key in the Domino servers Internet certificate and verifies that the Domino servers CA is marked as a trusted root in the browser. When server authentication AND client authentication are both enabled on the Domino server, the servers identity is authenticated by a client and the clients identity is authenticated by the Domino server. For the server to authenticate the clients identity, it checks the Person document in the Domino Directory that contains the SSL public key from the client certificate. The same Person document also lists the names that a Domino server can use to authenticate the Internet client.

Last edited 7/28/2005

IBM 2005

31

Installing the Client Certificate for SSL


Introduction
After configuring the HTTP server for SSL, the next step is to install the client certificate for SSL.

Installing Certificates

To install the client certificate for SSL:

Step 1 2 3

Action Access the Certificate Requests database from a browser using the URL: http://FullyQualifiedInternetHostName/certreqNORTH.nsf. Click Request Client Certificate. Fill out the following fields: --Your Full Name --At least one other name component, for example, Organization --In the return e-mail field use a fake address for this example.

Click Submit Certificate Request and this dialog box should appear:

Click Yes to receive a confirmation dialog:

6 7

Leave the browser open and return to the Notes Administration Client. Switch to the Files tab and open certreqNORTH.nsf. Continued on next page

Last edited 7/28/2005

IBM 2005

32

Installing the Client Certificate for SSL, Continued


Installing Certificates (continued)
Step 8 9 Action Select the Pending/Submitted Requests view. Select the new request and click Submit Selected Requests:

10

A confirmation dialog will appear:

11

Click OK. The new client request should change from Pending Submission to Administration Process to Submitted to Administration Process in the twisty title:

12

Note: This step would be skipped had Automatic been selected in the configuration of the Certificate Request database. If the Certificate Request database were configured to automatically submit requests, Adminp would drop the request automatically into the admin4.nsf (every five minutes), where the following steps are then taken: Step 1 Action Open admin4.nsf and expand the Certification Authority Requests view. Select Certificate Requests:

2 3 4

Open the new request and click Edit Request. Click Approve Request. In admin4.nsf, the document status should change to Approved:

13

The server console should indicate that the certificate has been processed:

Continued on next page

Last edited 7/28/2005

IBM 2005

33

Installing the Client Certificate for SSL, Continued


Installing Certificates (continued)
Step 14 Action Switch to the Certificate Requests database, select the document and click Pull Selected Requests:

15

Note: This step would be skipped if Automatic had been selected in the configuration of the Certification Request database. Automatic processing moves the approved request back to the Certificate Request database every five minutes. A confirmation that the request was successfully pulled will appear:

Click OK. Note: If this error message occurs,

it is very likely that the CA process is not loaded on the server. Once the CA process is loaded the certificate should process:

16

Check the users Person Document in the Domino Directory. The Administration Process adds information concerning the new Internet Certificate:

Continued on next page

Last edited 7/28/2005

IBM 2005

34

Installing the Client Certificate for SSL, Continued


Installing Certificates (continued)
Step 17 Action Once the certificate has been pulled, switch to the view Issued/Rejected Certificates to find the new certificate:

18

Double-click the certificate and copy the Request ID to the clipboard in order to pickup the certificate in the browser:

19

Return to the browser and click Pick up Client Certificate. Paste the Request ID from the Certificate Pickup document in the Certificate Requests database:

20 21

Click Pick Up Client Certificate. Click Install Certifcate:

Continued on next page

Last edited 7/28/2005

IBM 2005

35

Installing the Client Certificate for SSL, Continued


Installing Certificates (continued)
Step 22 Action Click Yes at the following dialog:

23

Click OK on the Certificate installed successfully dialog.

Viewing the Certificate

To view the certificate in a browser:

Step 1 2

Action View the Internet Certificate in IE by selecting Tools Options. Select the Content tab and click Certificates:

Internet

To view detailed information, double-click the individual certificates:

Continued on next page

Last edited 7/28/2005

IBM 2005

36

Installing the Client Certificate for SSL, Continued


Automatic requests
The proceeding process was done manually to get the feel of how the process works. In most situations, the administrator will have the process set up to run automatically. When the process runs automatically, the user will receive an e-mail after the certificate is approved by adminp and pulled over to the Certificate Requests database. The e-mail looks like this:
To: bob_admin@server1.acme.com From: Bob Admin/DominoSix Subject: Your certificate request has been approved This mail indicates that your web request for a certificate has been approved. To continue with the installation of your certificate, click the following link, or paste it into your browser address bar if it is not clickable: http://FullyQualifiedInternetHostName.com/certreqNORTH.nsf/R5+Client+ Pickup?OpenForm&REQUESTID=161AABFEFAD16E1C86256FAF006B2D61 Alternate method: Use your certificate pickup ID: 161AABFEFAD16E1C86256FAF006B2D61 to pick up your certficate at the "Pick Up Certificate" page: http:// FullyQualifiedInternetHostName.com /certreqNORTH.nsf/R5+Client+Redirect?OpenForm

In this case, when the user copies the top URL in the e-mail to a browser, they get to this screen:

This process eliminates steps for the end user and makes the process less confusing. Note: If Automatic process is chosen for the Certificate Requests database, make sure the signer of the agents is listed in unrestricted methods and operations in the Security tab of the server document.

Last edited 7/28/2005

IBM 2005

37

Testing the Client Certificate


Introduction
After installing the client certificate for SSL, administrators should test the configuration.

Testing the certificate

To test the client certificate configuration:

Step 1 2

Action In the Server document, select Ports Internet Ports. Choose Yes for Client certificate. This will force the server to request client certificates:

3 4 5

Recycle the http server by entering the command: tell http restart. Use the browser to open the database created earlier: https://FullyQualifedInternetHostName/web.nsf. This dialog should appear:

Click OK. If the client certificate has not been successfully imported, there will be no certificate to select in the dialog. Click on View Certificate to see the North Internet certificate:

Continued on next page

Last edited 7/28/2005

IBM 2005

38

Testing the Client Certificate, Continued


Testing the certificate (continued)
Step 7 8 Action Click OK and then when the previous screen appears click OK again. After these steps, connection to the web page should be allowed.

Last edited 7/28/2005

IBM 2005

39

Option Three - Migrating an R5 Internet Certifier to the CA Process


Introduction
The third option when configuring the CA process is to migrate an R5 Internet certifier to the CA process (the same application can be used in Domino 6).

Migrating an R5 Certifier

To migrate an R5 Internet certifier to the CA process:

Step 1 2 3

Action From the Administration client, select the Configuration tab. From the Tools menu click Migrate certifier. Click the Select button and choose the CAKey.kyr file for the certifier to be migrated. Choose Select:

Type the password for the certifier and click OK:

Continued on next page

Last edited 7/28/2005

IBM 2005

40

Option Three - Migrating an R5 Internet Certifier to the CA Process, Continued


Migrating an R5 Certifier (continued)
Step 4 Action Choose Server ID for Encrypt certifier ID with:

5 6 7 8 9

Click OK. Click OK on the Success: A newly created, migrated or recovered certifier will be available dialog. This process creates two requests in the Administration Requests database. Open admin4.nsf and select the Requests All requests by server view. Look for the Modify CA Configuration in Domino Directory document:

There should also be a Store Certificate Revocation List in Domino or LDAP Directory document:

Continued on next page

Last edited 7/28/2005

IBM 2005

41

Option Three - Migrating an R5 Internet Certifier to the CA Process, Continued


Migrating an R5 Certifier (continued)
Step 10 Action As the requests are processed, check the server console for the following error:
Admin Process: Received the following error performing a store Certificate Revocation List in Domino or LDAP Directory request on CN=DominoSecure/O=Domino/ST=Texas/C=US to be created. Will try to process this request again at 04/06/2005 10:05:58 AM.

11

When creating an Internet certifier, two adminp requests are created -one to create the certifier record, one to store the crl. The error indicates that the one that stores the crl was trying to execute before the certifier document was created so the request will be performed at a later time. The process will complete automatically, or to help it along type tell adminp process all and tell ca refresh at the server console. From the server console, issue the command: tell ca status. The results will show that the Internet certifier has been migrated:

12

To view the certifier document that is created, switch to the Certificates view on the Configuration tab of the Administration client to see the document for the certifier:

Last edited 7/28/2005

IBM 2005

42

Option Four Using the CA Process with S/MIME


Introduction
The fourth option for using the CA process is to configure it for use with S/MIME.

S/MIME Defined

S/MIME stands for Secure Multipurpose Internet Mail Extension. S/MIME is a secure e-mail standard based on an e-mail standard called MIME. S/MIME does not play a key role in standard Notes e-mail. Notes uses its own features to protect Notes Mail. However, not everyone is in a Notes environment. Domino administrators use the CA process to automatically issue x.509 certificates to Notes users, allowing them to use S/MIME without having to acquire digital IDs on their own. To do this, the Domino administrator selects Person records from the Domino Directory and chooses Actions Add Internet Cert to Selected People. The Administration Process then issues an Internet certificate for each user based on the public key stored in the Person record. When the user next authenticates with their home server, the certificate is automatically added to the user's ID file. A Notes user ID file can store both Notes and Internet certificates. Notes certificates are always present, but Internet certificates must be issued by Domino administrators. There is an automatic process in the Domino Directory to issue Internet certificates.

Adding certificates

To store Internet certificates in Person documents:

Step 1 2

Action From the Domino Administrator, select the People & Groups tab. Expand the People view. Select the names of the users who need Internet certificates. Note: All Notes users must have valid Internet addresses specified in their Person documents. Choose Actions Add Internet Cert to Selected People. Select the correct registration server, which appears at the top of the dialog next to the Server button. Choose the option to use the CA process. Choose the Supply the certifier key ring file and password option to use the flat CA's key ring file. In the Add Internet Certificates to Selected Entries dialog, confirm that the expiration date is valid. Change the date, if necessary. Continued on next page

3 4 5 6 7

Last edited 7/28/2005

IBM 2005

43

Option Four Using the CA Process with S/MIME, Continued


Adding certificates (continued)
Step 8 Action Click Certify:

Click OK at the status dialog:

10 11

Open the Administration Requests database. In the Administration Requests database the request will appear in two different places. Select Certification Authority Requests Certificate Requests to see the issued certificate:

12

Select Requests All Requests by Server to see the request to store the certificate in the Domino Directory:

Continued on next page

Last edited 7/28/2005

IBM 2005

44

Option Four Using the CA Process with S/MIME, Continued


Adding certificates (continued)
Step 13 Action Open a Person document for one of the people selected previously. The certifier will also be added to the Person document:

Note: The next time the user accesses their mail file or opens any database on the server, Notes recognizes that there is a certificate in the Person document that is not in the user's ID file. That certificate is then automatically placed in the user's ID file.

Viewing certificates

To see the Internet certificate in the Notes ID file:

Step 1 2

Action From the Notes client, select File Security User Security Identity Your Certificates. Select Your Internet Certificates from the drop down list:

Your

Click Close.

Last edited 7/28/2005

IBM 2005

45

Administration of the CA Process


Introduction
The following section of this document covers CA components, administration tasks and relevant commands.

ICL database

The core of a CA certifier is the Issued Certificate List (ICL) database created when the certifier is created or migrated to the CA process. Each certifier has its own ICL database. The ICL stores a copy of each unexpired certificate it issued, certificate revocation lists (CRLs), and CA configuration documents. Configuration documents are generated when the certifier is created and signed with the certifier's public key. After creating these documents, They cannot be edited. CA configuration documents include: Certificate profiles containing information about certificates issued by the certifier. A CA configuration document containing information about the certifier. RA/CA association documents containing information about the RAs who are authorized to approve/deny certificate requests. (There is one document for each RA). An ID file storage document containing information about the certifier ID. The Certifier document which is created in the Domino Directory when the certifier is set up. This document can be modified.

CRL database

One of the big advantages to using the CA process for SSL is the CRL. A CRL is a time-stamped list identifying revoked Internet certificates (only Internet certificates) -for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier's ICL database. To find the list of revoked certificates, hold down the CTRL and SHIFT keys while opening the appropriate ICL database. The $RevokedCerts view contains a list of revoked certificates.

A copy of the CRL is also stored in the Domino Directory, where it is used to assert certificate validity by entities that require certificate authentication. Users wishing to check a CRL would access the CRL in the Domino Directory by opening the CA's certifier document. CRLs can be used to manage the certificates issued in your organization. Certificates can easily be revoked if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. Internet Site documents can be used to configure Internet protocols on the Domino, and can also be used to enable CRLchecking for each protocol. Continued on next page

Last edited 7/28/2005

IBM 2005

46

Administration of the CA Process, Continued


Configuring CRLs
The CRL is configured when a new Internet certifier is created. Administrators specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended.

CRL types

There are two kinds of CRLs: regular and non-regular. For regular CRLs, Administrators configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued. However, in the event of a critical security break -- for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised the administrator can manually issue a non-regular CRL -- that is, an unscheduled CRL -- to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. Use a Tell command to issue a non-regular CRL.

Purpose of a CA database

The original intent is for all applications to refer to this attachment for ca configuration information in order to support lockbox model of the certifier. Under the lockbox model, administrators can put the icl database and the ca process on a dedicated machine in a secure location. This machine is not connected to the network for ultimate security. The attachment database in the certifier record does not contain the idstorage document. This database is a subset of what icl contains. It only contains the active set of CA configuration settings (RA-CAA association, and the certificate profile documents.) Changes occur on the icl database first, and then a request is dropped into admin4.nsf by the CA process. This request is processed and the certifier document is updated.

Last edited 7/28/2005

IBM 2005

47

Overview Administrator Roles


Introduction
There are two types of administrators connected to the CA process: CAA- Certificate Authority Administrator RA- Registration Authority

CA admins

The CAA and RA roles are discussed below: Admin CAA- Certificate Authority Administrator Function The Domino certificate authority administrator (CAA) is responsible for these tasks: Create and configure certifiers. Modify certifiers. For example, only a CA administrator can edit ID recovery information for a Notes certifier. Add or remove CA and RA administrators, or change the CA and RA roles assigned to users. The CAA must have at least Editor access to the master Domino Directory for the domain. As a best practice, designate at least two CAAs for each certifier since the CAA is the super power administrator that manages the CA process. With two there is then a backup if one leaves the organization. By default, the administrator who creates a certifier is automatically designated as both a CAA and an RA for that certifier. Note: In much of the client User Interface (such as the Modify Certifier Tool) the CAA is listed as the CA. All certificate requestsNotes and Internetmust be signed by an authorized administrator, or RA, before the CA process will sign certificates. Remember that the RA does not need access to the certifier ID file; only the CA process needs to have access to the certifier ID file. Since there can be many RAs, more administrators can be granted rights without having to compromise the security of the certifier ID file. The Domino Registration Authority (RA) administrator is responsible for these tasks: Register users, servers, and additional Notes certifiers Approve or deny Internet certificate requests. Revoke certificates if they can no longer be trusted, such as if the subject of the certificate leaves the organization, or if the key has been compromised. Note: RAs must have at least Author access to the master Domino Directory for the domain, with both the privilege "Create document" and role "User Creator" enabled. The RA has the access to handle day to day operations; registration of users, approve/deny certificate requests.

RA- Registration Authority

Last edited 7/28/2005

IBM 2005

48

CA Commands
Introduction
Administration of the CA process uses several console commands that are listed here for your reference.

CA tell commands

To administer the CA process, use the following:

Command tell ca quit tell ca stat

Result Stops the CA process. Displays summary information for the certifiers using the CA process; this includes the certifier's number, its hierarchical name, certifier type (Notes or Internet), whether it is active, and name of the ICL database:

tell ca show queue certifier number

Display a list of pending certificate requests, revocation requests, and configuration modification requests for a specific certifier, using its number from the results of the "tell ca status" command. Administrators can also use * to show this information for all certifiers that are using the CA process:

tell ca activate certifier number password

tell ca deactivate certifier number tell ca lock idfile

Activate a certifier if the certifier is created with "Require password to activate certifier," or use this for any certifier that has been deactivated. Activation is enabled during CA setup and creation. Activate a specific certifier by entering its number from the results of the 'tell ca status' command. Or unlock all server ID/password-protected certifiers at one time with this command by specifying "*" for the certifier number. The CA process then prompts for the password for each certifier. Deactivate a certifier. Use * to deactivate everything, or deactivate a specific certifier by entering its number from the results of the 'tell ca status' command. Lock all certifiers that were set up with a lock ID, as specified during CA setup. Continued on next page

Last edited 7/28/2005

IBM 2005

49

CA Commands, Continued
CA tell commands (continued)
Command tell ca unlock idfile password tell ca CRL issue certifier number Result Unlock all certifiers using the ID and password that comprise the lock ID. The lock ID is specified during CA setup. Issue a non-regular CRL for a specific certifier, where certifier number is the number of the certifier specified in the results of the "tell ca status" command: Push a certifier's latest regularly scheduled CRL to the Domino Directory, where certifier number is the number of the certifier specified in the results of the "tell ca status" command: Display CRL information for a specified certifier, where certifier number is the number of the certifier specified by the 'tell ca status' command. Use s or S for regularly scheduled CRLs, and n or N for non-regularly scheduled CRLs:

tell ca CRL push certifier number

tell ca CRL info certifier number [s/S/n/N]

tell ca refresh

tell ca help

Force the CA process to refresh its list of certifiers. As a result: newly configured certifiers will be added to the CA process previously unlocked certifiers will need to be unlocked again previously activated certifiers may need to be activated again, if the activation password has changed the Notes certifier ID file in idstorage will be updated with the latest certificate information (IDStorage is the name of the document in the ICL database that holds the ID for the certifier.) List tell ca options

Last edited 7/28/2005

IBM 2005

50

Adding Administrators to a Certificate


Introduction
In some cases, Administrators may wish to add administrators to a certificate.

Adding admins to a certificate

To add a CAA or an RA to an existing CA based certificate:

Step 1 2

Action Switch to the Certificates view in the Configuration tab of the Administration client. Open the certifier document and click Edit Certifier. Click Modify CA Configuration:

In the above example we added user West Admin to the CAA role. Click on Submit and the new person is processed on the server console:

Note: There has been a reported issue that adminp rename is not updating the RAs or the CAAs in the ICL database. The RA loses ability to perform all functions unless they are removed and re-added to the list. For details, see Technote 1173494 in the Knowledge Base.

Last edited 7/28/2005

IBM 2005

51

Disabling a Certifier
Introduction
To disable an Internet certifier, remove it from the server-based CA Process.

Disabling Certifiers

To disable an Internet certifier:

Step 1 2 3 4

Action Using the Administration Client, switch to the Configuration tab and select the Certificates view. Choose the certificate to be disabled and open it. Click Edit Certifier or double-click the document to edit it. Switch to the CA Configuration tab. Change the value in the Process Enabled field to No:

5 6

Click Save & Close. The change will take place automatically the next time the ca refresh process runs (every twelve hours). To immediately apply the change, use the tell ca refresh command at the server console. Use tell ca status to see if the certifier has been removed- see below that the North certifier was removed, leaving only the West certifier:

This can also be confirmed this by opening the Certifier document. Once the certifier is disabled, the CA Configuration tab is removed:

Last edited 7/28/2005

IBM 2005

52

Enabling a Certifier
Introduction
In some cases, Administrators may need to re-enable a disabled Internet certifier.

Enabling certifiers

To enable a disabled Internet Certifier:

Step 1 2 3 4

Action Using the Administration Client, switch to the Configuration tab and open the Certificates view. Select the certificate that to disable and open it. Click the Edit Certifier button. Click Enable for CA Process:

5 6

At the dialog CA Process is now enabled click OK. The change will take place automatically the next time the ca refresh process runs (every twelve hours). To apply the change immediately, enter tell ca refresh at the server console. Use tell ca status to see if the certifier has been added to the list- see below that North is once again listed as active:

The CA Configuration tab again appears in the Certifier document:

Note: Adminstrators can also repeat the CA migration process to enable a certifier; however, this creates a new ICL database.

Last edited 7/28/2005

IBM 2005

53

Revoking a Certificate
Introduction
A CA administrator can easily revoke an Internet certificate if the subject of the certificate leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never again be trusted. If Administrators revoke a certificate, especially if a key has been compromised, issue a non-regular CRL so that any entity checking CRLs has the most updated revocation information.

Revoking certificates

To revoke a certificate:

Step 1 2 3 4 5

Action From the Domino Administrator, select the Files tab. Open the ICL directory. From the list of ICL databases, open the ICL for the certifier that issued the certificate to revoke. Select the Issued Certificates\By Subject Name view. Open the Issued Certificate document for the certificate to be revoked. The document name is the same as the subject name. In this case we will be revoking the certificate for Test User/DominoSix:

At the top of the document, click Revoke Certificate.

In the Revocation Reason dialog box, select the reason for revoking the certificate, and click OK:

Continued on next page

Last edited 7/28/2005

IBM 2005

54

Revoking a Certificate, Continued


Revoking certificates (continued)
Step 8 9 Action The server console should indicate that the request has been processed: Enter the command to issue a non-regular CRL
tell ca crl issue 2

10

In the administration Process database under Requests All requests by Server, the document called Remove Certificate from Domino or LDAP Directory indicates the certificate has been removed:

11

In the administration Process database under Certification Authority Requests Revocation Requests is a RevocationCAAccepted document for each revoked certifier:

Continued on next page

Last edited 7/28/2005

IBM 2005

55

Revoking a Certificate, Continued


Revoking certificates (continued)
Step 12 Action The next time the CA process refreshes, the Issued Certificate document will be updated to indicate that the certificate has been revoked. When the Issued Certificate document is opened again, the Revocation Information section will indicate that the certificate has been revoked, the revocation date and time, the reason for the certificate's revocation, and date and time the certificate became invalid:

Note: Even publishing the non-regular CRL does not guarantee immediate revocation, because CRL users may continue to use cached copies of a CRL until it expires. It is important the administrators set a reasonable schedule for publication and expiration of CRLs. By default, Domino publishes a CRL on a daily basis, and each CRL has a lifetime of two days. Decreasing these intervals allows for more immediate revocation, at the cost of increased network and directory load as CRL caches are refreshed more often.

Last edited 7/28/2005

IBM 2005

56

Removing a Certifier from the CA Process


Introduction
There may be situations where Administrators will need to remove a certifier from the CA process.

Removing certifiers

To remove a certifier from the CA process:

Step 1 2

3 4 5

Action At the server console issue the command tell ca quit. In the Administration client select the Configuration tab. Select Certificates Certificates and open the certifier certificate to be removed. On the CA Configuration tab set Process Enabled to No. (Optional) Delete the CFG attachment from the certifier document. From the Administration Client, select the Files tab and open the ICL folder. Remove the corresponding ICL database by right-clicking the file name and selecting Delete database. O the Files tab, right-cick the Certificate Requests database and select Delete database. Note: To confirm if this is the correct database: Open the database and select the Database Configuration view. The common name of the certifier is in the Supported CA field:

To confirm the certifier has been removed from the CA process, issue the command tell ca stat from the Domino server console. The certifier will not be present in the list.

Last edited 7/28/2005

IBM 2005

57

Administration Tips
Introduction
This section describes general tips for CA process administrators.

Modifying certifiers

There are two ways to modify a certifier. Both can only be done by a CAA: Via certifier document. The only modification that can take place is that the CAA and RA fields can be modified. Via the administration client using Modify Certifier. Administrators can perform any modifications using this method.

General tips

Certificate requests in admin4.nsf can be marked not to be deleted. Administrators may want to periodically archive those documents. When using the web client the password for tell ca unlock and tell ca activate commands are transmitted in plain text so it is a good idea to make sure that all communication is over SSL. For the error: Cannot locate user certificate. Make sure server contains your certificate for encryption during creating/migrating/modifying a certifier, check the Notes client Location document. The Mail file location should be Server, not Local.

Notes.ini settings

CA_REQUEST_POLL_INTERVAL= # of seconds, 10 seconds by default. Time waited before processing certificate requests, revocation requests, and modification to certifier requests. CRL_REQUEST_POLL_INTERVAL= # of seconds, 300 (or 5 minutes by default). The time between the scheduled running of the push and issue tell commands. CA_UPDATE_INTERVAL= # of hours, default is 12 Only works with Notes certifiers. In Notes, the certifiers keep track of the latest certificate tables for that certifier. May be some recovery information which could change.

Last edited 7/28/2005

IBM 2005

58

Encrypting the Certifier ID


Introduction
Administrators have three choices when choosing to encrypt a certifier ID: Server ID Require password to activate Locking ID

Server ID

Encrypting with the Server ID is the lowest form of Security, but also the least secure. There are no additional actions to activate or unlock the certifier. This is the option used earlier in this document.

Password to activate

This option has medium security. To require passwords for activation:

Step 1

Action Check the Require password to activate option and enter a password for the certifier:

At the server console, issue the commands:


tell ca refresh tell ca status

The newly migrated certifier will be listed, however, it will not be active:

Use the command tell ca activate [ 3 ] password to activate the certifier. Tell ca status shows that the certifier is active:

Note: Encrypting a certifier ID with the password protected Server ID option protects only that certifier. With a Locking ID, multiple certifiers can be protected. Continued on next page

Last edited 7/28/2005

IBM 2005

59

Encrypting the Certifier ID, Continued


Locking ID
Using a Locking ID provides the highest security for a certifier because it uses an individuals user ID and password to lock the certifier. To use a locking ID: Step 1 Action Select the Locking ID radio button and click the Locking ID button:

Choose the user id to use to lock the certifier and click OK:

3 4

The users id appears next to the Locking ID button: Switch to the server console and enter:
tell adminp process all tell ca refresh tell ca status

The certifier is present, but not active:

Continued on next page

Last edited 7/28/2005

IBM 2005

60

Encrypting the Certifier ID, Continued


Locking ID (continued)
Step 5 Action To make it active, enter:
tell ca unlock <idfile> <password>, where ID file is the full path

to the file:

Note: With the Locking ID, all of the certifiers that were locked with that ID will activate all at once.

Last edited 7/28/2005

IBM 2005

61

Removing Passwords for Certifier Activation


Introduction
Administrators can configure the CA process to no longer require a password for certifier activation.

Removing activation passwords

To remove the password for certifier activation:

Step 1 2

Action From the Administration client, click Modify Certifier in the Tools bar. Choose the Issued Certificate List (ICL) database radio button and then click Select:

Open the directory holding the ICL databases. Choose the ICL database for the certifier to be changed:

Once the database has been selected, the file name will show on the Modify Certifier dialog:

Click OK. Continued on next page

Last edited 7/28/2005

IBM 2005

62

Removing Passwords for Certifier Activation, Continued


Removing activation passwords (continued)
Step 5 Action The next screen shows the option choosen earlier for this certifier:

6 7 8

Change this option to Server ID and click OK. Click Yes at the warning: This process will modify the current certifier information Click OK on the Success dialog. The change made can be seen in the admin4.nsf Requests All requests by Server view:

The next time the server is started the certifier should be activated without requiring a password. This also works with the Require Password to Activate option.

Last edited 7/28/2005

IBM 2005

63

Renaming the ICL Database


Introduction
In some situations it may be necessary to rename the ICL database. Note: The Administrator will need Designer Access to rename the ICL database.

Renaming ICL

To rename the ICL database: Step 1 2 3 Action Shut down the CA process on the server using the command tell ca
quit.

In the Administration client, select the Configuration Tab, expand the Certificates view and open the Certifier document. Take note of the value in the ICL Path field on the CA Configuration tab. It will be used in later steps:

4 5 6 7

8 9

10 11 12 13 14 15 16

The ICL Path field is a computed field and cannot be changed directly. It must be changed (the field type) in the Designer client. Close the Certifier document. Launch the Domino Designer client. Open the Domino directory. Open the form called Server/Certifier and go to the CA Configuration tab. Change the value of the ICL Location field from computed to editable. Save the change and close the Designer client. Switch to the Administration client. Select the Configuration tab and expand the Certificates view. Open the certifier document again. Enter the new name of the database in the ICL Path field. Save and close the document. In an Explorer window, browse to the location of the ICL database. Using the name from the original ICL Path entry, rename the file. Reload the CA process task using the command: Load ca. The CA process should initialize the certifier and the process should be complete. In the Design client, change the ICL Location field from editable back to computed. Restart the Administration client to see the new database name under the Files tab.

Last edited 7/28/2005

IBM 2005

64

Confirming a CRL has run using the CA Process


Introduction
There are several methods of confirming that the CRL has run using the CA process: The certifier document The ICL database The server console

Certifier document

In the Certifier document in the certficateRevocationList field. This information is not in a readable format, nor is there any tool to annotate or translate that information.

ICL database

To see the CRLs that have been processed, navigate to the ICL directory (by default Lotus >> Domino >> data >> icl) and hold down the CNTR & Shift keys when opening the ICL database. In a view called $CRLView there is a list of all of the CRLs. In the first column a "1" means the CRL was a scheduled CRL. A "2" in that column indicates a non-regular CRL was issue. The second column has the date and time of the CRL.

Server console

The server console can also be used to view the most recent CRL using the server console command "tell ca CRL info [certifier number] [s/S/n/N]." Assuming that the CRL is issued for is the second certifier listed in a tell ca status, then: Use "tell ca crl info 2 s" to view the most recent scheduled CRL. The "s" or "S" stands for "scheduled." The output from the console looks like this:
> tell ca crl info 2 s 03/17/2005 01:55:21 PM 03/17/2005 01:55:21 PM 03/17/2005 01:55:21 PM 04:06:27 PM CA show latest scheduled CRL for CN=North: Issue Date: 03/16/2005 04:06:27 PM Next Schedule On or Before: 03/18/2005

Use "tell ca crl info 2 n" to view the most recent non-scheduled CRL. The "n" or "N" stands for non-scheduled. The output from the console looks like this:
> tell ca crl info 2 n 03/17/2005 01:31:43 PM CN=North: 03/17/2005 01:31:43 PM 03/17/2005 01:31:43 PM 04:06:27 PM CA show latest non-scheduled CRL for Issue Date: 03/17/2005 01:26:22 PM Next Schedule On or Before: 03/18/2005

Last edited 7/28/2005

IBM 2005

65

Confirming Certificate Revocation


Introduction
There are three ways to confirm that an Internet certificate has been revoked: 1. Open the ICL database for that certifier (by default in the Lotus\Domino\data\icl directory.) In the Issued Certificates By Subject Name view, find the revoked person's name and open their document. Examine the "Revocation Information" section of the document. If there is a checkmark in the "This certificate has been revoked" field, the certificate has been revoked. 2. Open the ICL database while holding down the CTRL and Shift keys. A view called $RevokedCerts will have all of the revoked Internet certificates in a time/date format. 3. At the server console displays up to ten revoked certificates at one time by issuing the command: "tell ca CRL info [certifier number] [s/S/n/N]"

Console commands

Assuming that the issued a CRL for is the second certifier listed in a tell ca status, then: Use "tell ca crl info 2 s" to view up to ten revoked certificates from a regularly scheduled CRL. The "s" or "S" stands for "scheduled:"
> tell ca crl info 2 s 03/17/2005 01:55:21 PM CA show latest scheduled CRL for CN=North: 03/17/2005 01:55:21 PM Issue Date: 03/16/2005 04:06:27 PM 03/17/2005 01:55:21 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM 03/17/2005 01:55:21 PM 1 Revoked Certificate: 03/17/2005 01:55:21 PM 0. Certificate #: 6d4081b52027b0bcd08e7b53072382e9d2cb9a8a

Use "tell ca crl info 2 n" to view up to ten revoked certificates from a non-regularly scheduled CRL. The "n" or "N" stands for "non-scheduled:"
> tell ca crl info 2 n 03/17/2005 01:31:43 PM CA show latest non-scheduled CRL for CN=North: 03/17/2005 01:31:43 PM Issue Date: 03/17/2005 01:26:22 PM 03/17/2005 01:31:43 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM 03/17/2005 01:31:43 PM 2 Revoked Certificate: 03/17/2005 01:31:43 PM 0. Certificate #: 48ed9237a769bff0d14b3742887e2a5563cc240e 03/17/2005 01:31:43 PM 1. Certificate #: 583eb8f6857484e728b14673dbd52ad071506ff2

In the output, the Certificate # is the Serial Number from the Issued Certificate in the ICL database for the user. Note: For information on revoking an Internet certificate, see the Domino Administrator help database.

Last edited 7/28/2005

IBM 2005

66

Creating a Local Copy of the Certifier ID


Introduction
For convenience, Administrators may wish to create a local backup copy of the certifier ID. The purpose for backing up the certifier locally is that it can be used for recovery should error messages appear loading the CA process or entering the tell ca refresh command.

Create a local certifier

To create a local copy of the certifier ID:

Step 1

Action From the Domino Administrator client, select the Miscellaneous tab and click Create a local copy of the certifier ID:

Click Set ID File to specify the certifier ID file name and enter the password:

3 4

Click OK. A copy of the certifier ID is saved to the default path: \notes\data\ids\certs\cert.id , but Administrators can select a different path. Use this local copy of the certifier ID as a backup to re-create the certifier if it becomes corrupted.

Last edited 7/28/2005

IBM 2005

67

Recovering a Certifier
Introduction
In certain circumstances, Administrators may need to recover a certifier.

Recovering a Certifier

To recover a certifier:

Step 1 2 3 4

Action From the Administrator client, select the Configuration tab. In the Tools pane, choose Certification Modify Certifier. Select the CA server from the list, and click OK. Select the certifier to recover by doing one of the following: Select the certifier document from the Domino Directory Select the certifier ICL database

Administrators may be prompted for the certifier ID and password. Enter the path and filename for the local copy of the ID created when the certifier was first set up, and click OK. Note: The prompt for the certifier ID occurs only if the certifier determines that it cannot proceed without it. Continued on next page

Last edited 7/28/2005

IBM 2005

68

Recovering a Certifier, Continued


Recovering a Certifier (continued)
Step 6 Action In the Certifier CN=Recover dialog, confirm that the certifier information is correct:

Click OK and click Yes when asked to modify the certifier:

Click OK when the certifier is successfully modified:

Note: If the certifier is still having problems -- for example, configuration documents are corrupted or missing -- replace the ICL database with the back up copy. The location of the ICL database is specified in the certifier document.

Last edited 7/28/2005

IBM 2005

69

Self-service resources on the web:


Lotus software support
The Lotus software support web site provides content to help you troubleshoot issues, plan deployments, and subscribe to product news. You can even submit and track problems with your IBM Customer Number. http://www.ibm.com/software/lotus/support

Lotus Domino support page

This product support page offers the latest troubleshooting resources, patches, product Flashes, and other important content specific to Lotus Domino. http://www.ibm.com/software/lotus/support/domino/support.html

developerWorks: Lotus

This page offers IBMs technical resources for Lotus Domino developers, such as articles. developerWorks: Lotus http://www.ibm.com/developerworks/lotus Notes and Domino http://www.ibm.com/developerworks/lotus/products/notesdomino

Notes/Domino 6 discussion forum

The Notes/Domino 6 discussion forum is an excellent source of information regarding Notes and Domino issues. The questions and answers posted by your peers can be quite helpful when you are researching an issue, sometimes preventing the need to submit a problem to software support! http://www.lotus.com/ldd/nd6forum.nsf

Product documentation

The documentation web page offers the latest Release Notes, Help files, White Papers, etc. for Lotus Domino. http://www.lotus.com/ldd/notesua.nsf/find/domino

Last edited 7/28/2005

IBM 2005

70