You can create additional HCL Notes® and Internet certifiers for your organization and configure them to use the CA process.

Key usage extensions and extended key usage
Key usage extensions define the purpose of the public key contained in a certificate. You can use them to restrict the public key to as few or as many operations as needed. For example, if you have a key used only for signing or verifying a signature, enable the digital signature and/or non-repudiation extensions. Alternatively, if a key is used only for key management, enable key encipherment.

To create a Notes certifier

About this task

Notes certifiers are created first, and then migrated to the CA process.

Procedure

1. Register an additional organization certifier or organizational-unit certifier.

2. Migrate the certifier to the CA process.

To create an Internet certifier

About this task

Internet certifiers are created and registered using the CA process.

Procedure

1. From the HCL Domino Administrator, click Configuration.

2. On the Tools pane, select Registration -> Internet Certifier.

3. In the Register Internet Certifier dialog box, select I want to register a new Internet certifier that uses the CA process.

4. In the Register a New Internet Certifier dialog box, click Basics.

5. Create the certifier name. Specify a common name and at least one additional component:

• Common name -- Enter the certifier name.
• Organizational unit (optional) -- Enter the name of the certifier's organizational unit, if applicable.
• Organization (optional) -- Enter the name of the certifier's organization.
• City or locality (optional) -- Enter the organization's city or locality.
• State or province (optional) -- Enter the full name of the state or province in which the organization resides.
• Country (optional) -- Enter the two-character abbreviation for the country in which the organization resides.

7. Optional: Modify the default ICL database name (for example: icl\icl_Renovations.nsf).

Note: Using the default directory structure is recommended.

Table 1. Certifier ID encryption options

Option	Security level	Password required	Action required
Encrypt ID with Server ID	Lowest	None	None
Require password to activate	Medium	Server ID password	If you choose to use a password, you need to activate the certifier. Use the tell command: tell ca activate password
Encrypt ID with Lock ID	Highest	Registered user ID and password	If you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command: tell ca unlockidfilepassword




Note: Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously.

10. On the Certificates tab, complete these fields:

Table 2. Certificates tab fields to complete

Field	Action
Include CRL distribution point extension	Enable an attribute that identifies the location of for the certifier CRL. It is recommended that you use this option so that you can revoke certificates after they are issued. This is enabled by default.
Backdate certificate validity	The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. In the event that the date on which the certificate becomes valid is different than the date on which it is created, you can choose to backdate the certificate's validity period. This option is enabled by default. You cannot enter a date.
Certificate duration	Enter the default, minimum, and maximum certificate duration in months.
Key usage	Choose the key usage extensions for this certificate.




Note: The only certificate type you can create is an end -entity certificate, and the option is enabled by default. This means that Internet certificates issued by this certifier apply to users of certificates and/or end-user systems that are subjects of a certificate.

12. Complete these fields to specify Certificate Revocation List information for this certifier:

Table 3. Certificate Revocation List fields

Field	Action
Duration of CRL (in days)	Enter the length of time, in days, for which a given CRL is valid. It is recommended that this time period extend beyond the time period between issued CRLs, as this ensures that the CRL is always valid.
Time between CRLs (in days)	Enter the time interval, in days, between issued CRLs.

Table 4. Key and certifier certificate fields

Field	Action
Signing algorithm	Select the algorithm used to encrypt the certificate's signature.
Key length	Enter the key length to use for encryption. This setting determines the number of bits needed to be able to represent any of the possible values of a cryptographic key. The longer the key length, the more difficult it is to decrypt encrypted text.
Certificate will expire on	(Optional) Change the default certificate expiration date.

Table 5. Certifier PKIX Alternative Name(s) information fields

Field	Action
Type	Enter the type of alternative name you want to use.
Value	Enter the alternative name you want to use.




Note: A PKIX Alternative Name is not the same as a Notes alternate name. The Notes alternate name is the foreign language version of a user name.

Results

A message appears saying that you have successfully set up a CA.

What to do next

Complete these procedures:

• Adding a certifier to the CA process
• Creating the Certificate Requests database

Related tasks
Creating an additional organization certifier ID
Creating an organizational unit certifier ID
Migrating a certifier to the CA process
Setting up a server-based Domino certification authority

Help on Help

All Help Contents

Help on Help