PLANNING


Certifier IDs and certificates

Certifier IDs and certificates form the basis of HCL Domino® security. To place servers and users correctly within your organization's hierarchical name scheme, you create a certifier ID for each branch on the name tree. You use the certifiers during server and user registration to "stamp" each server ID and user ID with a certificate that defines where each belongs in the organization. Servers and users who belong to the same name tree can communicate with each other; servers and users who belong to different name trees need a cross-certificate to communicate with each other.

Note: You can register servers and users without stamping each server ID and user ID if you have migrated the certifier to a Domino server-based certification authority (CA).

Each time you create a certifier ID, Domino creates a certifier ID file and a Certifier document. The ID file contains the ID that you use to register servers and users. The Certifier document serves as a record of the certifier ID and stores, among other things, its hierarchical name, the name of the certifier ID that issued it, and the names of certificates associated with it.

Note: During server setup, you can use an existing certifier ID instead of creating a new one. The certifier ID that you specify cannot have multiple passwords assigned to it. Attempting to user a certifier ID with multiple passwords generates an error message and causes server setup to halt.

There are two types of certifier IDs: organization and organizational unit.


By default, the Server Setup program stores the certifier ID file in the directory you specify as the Domino data directory. When you use the Domino Administrator to create an additional organization certifier ID or organizational unit certifier ID, you specify where you want the ID stored. To ensure security, store certifiers in a secure location -- such as a disk locked in a secure area.

To provide ID and password recovery for HCL Notes® users, you need to set up recovery information for each certifier ID. Before you can recover user ID files, you need access to the certifier ID file to specify the recovery information, and the user ID files themselves must be made recoverable. There are three ways to do this:


Parent topic: Roadmap for deploying Domino servers

Related concepts
Hierarchical naming for servers and users
Domino domains
Certification log
Managing servers
Maintaining Notes users

Related tasks
Creating an additional organization certifier ID
ID recovery
Roadmap for deploying Domino servers
Recertifying a server ID
Creating a server setup profile
Creating an organizational unit certifier ID
Renaming a Notes user's common or alternate name