SECURING


Publishing third-party CA client certificates in a Person record

Notes® and Internet users who have a client certificate from a third-party certifier may want to have this certificate published in their Person record so that, if a user authenticates with a Domino® server over TLS with that certificate, Domino will be able to determine the user's Notes identity.

About this task

The server can the use the Notes identity to check server database ACLs to determine the user's access to those databases. If the certificate with which a user authenticates isn't in a Person document, Domino gives the user anonymous access, even though the user has authenticated using TLS authentication.

To publish a third-party client certificate in a user's Person record, use the Certificate Publications Request database. Clients submit certificate publication requests to the database, where they are approved by an administrator. After a request is approved, a publication request is created automatically in the Administration Process database. When the request is completed, the third-party client certificate is published in the requester's Person record.

In order to use this database, the server on which it is hosted must:


In order for users to make a publication request, they must be able to authenticate to the Certificate Publications database with the certificate they want to have published.

Note: The user does not have to have a Person document in the Domino Directory to make a publication request. The administrator can create a Person document once the request has been entered, and it has been decided that the certificate's owner can be trusted.

Parent topic: Setting up Notes and Internet clients for TLS client authentication

To create the Certificate Publications Request database

Procedure

1. From the Domino Administrator, click File -> Application -> New.

2. Create a new database using the Domino Certificate Publications Request template (certpub.ntf).

To publish a third party CA client certificate in a Person record

Procedure

1. The client opens the Certificate Publications Request database using a browser, completes the Certificate Registration Request form, and submits it.

2. The administrator approves or denies the publication requests in the Waiting for Approval view.

3. If the request is approved, it is submitted to the Administration Process and the client certificate is published in the requester's Person record.

Related tasks
Setting up Notes and Internet clients for TLS client authentication
Setting up a Person document for an Internet user using TLS client authentication