Domino Consulting - HCL Domino Administrator 11.0.1 Help

SECURING

Creating the Certificate Requests database

Each Internet certifier you create requires a Certificate Requests database (CERTREQ.NSF) to manage the server keyring file and allow users to request client certificates from the browser or through email. This database stores active certificate and revocation requests that have been submitted to the Administration Process for processing. Using a browser-based interface, servers and clients request certificates and pick up issued certificates.

About this task

You can store Certificate Requests databases on any server in the domain, including servers that reside outside of a network firewall.

For more information on using the Certificate Requests database to process certificate requests, see the related information.

Procedure

1. Choose File -> Application -> New and select the server to store the Certificate Requests database.

2. Enter the database title, for example Certificate Requests.

3. Enter the file name, for example certreq.nsf

4. Choose the Certificate Requests template (CERTREQ.NTF).

5. Click OK. When the Certificate Requests database has been created, it will open and the "About..." document will appear.

6. Close the "About..." document, and the Database Configuration form will appear.

7. In the Database Administration section, complete these fields:

Table 1. Database Administration section

Field

Action

Supported CA

Do the following:

1. In the Server field, enter the name of the server that hosts the Internet certifier.

2. In the Certifier field, enter the name of the Internet certifier to associate with the Certificate Request database.

Supported certificate types

Choose one:

Client certificates only -- Select this option if the certifier will issue client Internet certificates. Do not select this option if you want to create a server key ring for SSL. If you select this option, you must customize client requests.
Server certificates only -- Select this if the certifier will issue server Internet certificates. If you select this option, you must customize server requests.
Both client and server certificates -- Select this if the certifier will issue both client and server Internet certificates. If you select this option, then you need to customize both server and client requests.

8. Optional: In the Client Request Customization section, complete these fields:

Table 2. Client Request Customization section

Field	Action
Validity period	Enter the number of years that client requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.
Key usages	Choose the default key usage that will be submitted in client certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for a client S/MIME certificate.
Extended key usages	Choose the default extended key usage that will be submitted in client certificate requests generated from this database. Default settings are Client Authentication and Email Protection.

9. Optional: In the Server Request Customization section, complete these fields:

Table 3. Server Request Customization fields

Field	Action
Validity period	Enter the number of years that server requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.
Key usages	Choose the default key usage that will be submitted in server certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for an SSL server certificate.
Extended key usages	The default extended key usage that will be submitted in server certificate requests generated from this database. Default is Server Authentication.

10. For Processing method, choose the method by which requests are submitted to the Administration Process:

Manual (default) -- Choose this if you want an administrator to review requests submitted to the Certificate Requests to approve or deny each request individually before it is submitted to the Administration Request database (admin4.nsf) for further processing.
Automatic -- Choose this to have requests submitted to the Administration Request database processed without administrator intervention. Requests will be approved or denied according to the certificate policy. If this method is chose, the Automatic Transfer Server field appears, in which you need to specify the server running the administration process and to which certificate requests will automatically be transferred.
Note: If the Automatic method is chosen, the administrator (signer of the agent) must be listed in the group of users who can run unrestricted methods and operations on the server. This can be set on the Security tab in the Server document. There must also be a replica of the Certificate Requests database on the specified transfer server.

11. For Mail notification, choose whether or not to send e-mail notification when a certificate request has been processed by the CA.

Yes (default) -- Choose this if you want the requester to be notified by e-mail when a certificate request has been processed by the CA.
No -- Choose this if you do not want the requester to be notified by e-mail when a certificate request has been processed by the CA.

12. Click Save & Close.

Parent topic: Domino server-based certification authority

Related concepts
SSL and S/MIME for clients

Related tasks
To create an Internet certifier

Help on Help

All Help Contents

Help on Help

All Help Contents