Lotus Domino Administrator 6 Help - Creating a certifier for a server-based CA

SECURITY

Creating a certifier for a server-based CA
You can create additional Notes and Internet certifiers for your organization and configure them to use the CA process.

To create a Notes certifier

1. Register an additional organization certifier or organizational-unit certifier.

2. Migrate the certifier to the CA process.

To create an Internet certifier

You create one or more Internet certifiers to issue server and client Internet certificates.

1. From the Domino Administrator, click Configuration.

2. On the Tools pane, select Registration - Internet Certifier.

3. In the Register Internet Certifier dialog box, select "I want to register a new Internet certifier that uses the CA process."

4. In the Register a New Internet Certifier dialog box, click Basics.

5. Create the certifier name. Specify a common name and at least one additional component:

Common name - Enter the certifier name.
Organizational unit (optional) - Enter the name of the certifier's organizational unit, if applicable.
Organization (optional) - Enter the name of the certifier's organization.
City or locality (optional) - Enter the organization's city or locality.
State or province (optional) - Enter the full name of the state or province in which the organization resides.
Country (optional) - Enter the two-character abbreviation for the country in which the organization resides.

6. Choose the server on which to store the certifier.

7. (Optional) Modify the default ICL database name (for example: "icl\icl_Acme.nsf").

Note

It is recommended that you use the default directory structure.

8. For "Encrypt Certifier ID with," select one:

Option	Security level	Password required	Action required
Encrypt ID with Server ID	Lowest	None	None
Encrypt ID with Server ID	Medium	Server ID password	If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command: `tell ca activate <password>`
Encrypt ID with Lock ID	Highest	Registered user ID and password	If you choose to encrypt the certifier ID with a lock ID, the certifier is locked when you create it. Use the tell command: `tell ca unlock <idfile><password>`

Note

Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously.

9. (Optional) In the Administrators list, enter the names of additional CAAs and RAs. The name of the administrator creating the CA is automatically included in the list as both a CA administrator and an RA administrator.

For more information on certificate authority administrators and registration authorities, see the topic Administering a Domino CA.

10. On the Certificates tab, complete these fields:

Field Action

Include CRL distribution point extension (Optional) Select to enable an attribute that identifies the distribution point for the certifier CRL on the server that you select in the "Using server" list.

Backdate certificate validity Enter the date when the certificate becomes valid, as this may differ from the date on which the certificate is created.

Certificate duration Enter the default, minimum, and maximum certificate duration in months.

Key usage Choose the key usage extensions for this certificate.

Note The default certificate type is end entity certificate. This means that Internet certificates issued by this certifier apply to users of certificates and/or end-user systems that are subjects of a certificate.

11. Click Miscellaneous, and then click "Create a local copy of the certifier ID." Specify the certifier ID file name and password, and click OK. A copy of the certifier ID is saved to the default path ...\notes\data\ids\certs\cert.id. You can select a different path. Use this local copy of the certifier ID as a backup to re-create the certifier if it become corrupted.

12. Complete these fields to specify Certificate Revocation List information for this certifier:

Field Action

Duration of CRL (in days) Enter the length of time, in days, for which a given CRL is valid. It is recommended that this time period extend beyond the time period between issued CRLs, as this ensures that the CRL is always valid.

Time between CRLs (in days) Enter the time interval, in days, between issued CRLs.

13. Complete these fields to specify "Key and certifier certificate" information for this certifier:

Field Action

Signing algorithm Select the algorithm used to encrypt the certificate's signature.

Key length Enter the key length to use for encryption. This setting determines the number of bits needed to be able to represent any of the possible values of a cryptographic key. The longer the key length, the more difficult it is to decrypt encrypted text.

Certificate will expire on (Optional) Change the default certificate expiration date.

14. Complete these fields to specify the Certifier PKIX Alternative Name(s) information for this certifier:

Alternative name fields allow alternate names to be listed in certificates. Alternate subject names can appear in any certificate. If a CA has alternate names, those names should be included in the certificates it issues. For example, you can include the certifier's e-mail address in the certificates it issues, so that users know how to contact the certifier that issued them.

Note A PKIX Alternative Name is not the same as a Notes alternate name. The Notes alternate name is the foreign language version of a user name.

Field Action

Type Enter the type of alternative name you want to use.

Value Enter the alternative name you want to use.

Click Add to add the alternative name to the certifier's certificate.

15. Click OK. A message appears saying that you have successfully set up a CA.

16. Complete these procedures:

Glossary

Feedback on Help?

Help on Help

Open Full Help Window

Glossary

Feedback on Help?

Help on Help

Open Full Help Window

Field	Action
Include CRL distribution point extension	(Optional) Select to enable an attribute that identifies the distribution point for the certifier CRL on the server that you select in the "Using server" list.
Backdate certificate validity	Enter the date when the certificate becomes valid, as this may differ from the date on which the certificate is created.
Certificate duration	Enter the default, minimum, and maximum certificate duration in months.
Key usage	Choose the key usage extensions for this certificate.

Field	Action
Duration of CRL (in days)	Enter the length of time, in days, for which a given CRL is valid. It is recommended that this time period extend beyond the time period between issued CRLs, as this ensures that the CRL is always valid.
Time between CRLs (in days)	Enter the time interval, in days, between issued CRLs.

Field	Action
Signing algorithm	Select the algorithm used to encrypt the certificate's signature.
Key length	Enter the key length to use for encryption. This setting determines the number of bits needed to be able to represent any of the possible values of a cryptographic key. The longer the key length, the more difficult it is to decrypt encrypted text.
Certificate will expire on	(Optional) Change the default certificate expiration date.

Field	Action
Type	Enter the type of alternative name you want to use.
Value	Enter the alternative name you want to use.