SECURING
You can set up a Domino® certifier that uses the CA process server task to manage and process certificate requests. The CA process runs as a process on Domino servers that are used to issue certificates. When you set up a Notes® or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.
You can set up both Notes and Internet certifiers to use the CA process. Notes certifiers are registered and then migrated to the CA process. Internet certifiers, however are created and registered using the CA process.
Consider using the CA process because it:
Issued Certificate List (ICL)
Each certifier has an Issued Certificate List (ICL) that is created when the certifier is created or migrated to the CA process. The ICL is a database that stores a copy of each certificate that it has issued, certificate revocation lists (for Internet certifiers), and CA configuration documents. Configuration documents are generated when you create the certifier and sign it with the certifier's public key. After you create these documents, you cannot edit them.
CA configuration documents include:
Certificate Revocation List (CRL)
A CRL is a time-stamped list identifying revoked Internet certificates -- for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier's ICL database.
You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended.
Using CRLs, you can manage the certificates issued in your organization. You can easily revoke a certificate if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. When you use Internet Site documents to configure Internet protocols on the Domino, you can also enable CRL-checking for each protocol.
There are two kinds of CRLs: scheduled and immediate. For scheduled CRLs, you configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued.
However, in the event of a critical security break -- for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised -- you can manually issue an immediate CRL (that is, an unscheduled CRL ) to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. You use a Tell command to issue an immediate CRL.
Administering a Domino CA There are a number of tasks associated with managing a HCL Domino certifier. If you implement a certifier that uses the CA process, you can delegate HCL Notes and Internet certificate request approval and denial to other administrators, each of whom acts as a registration authority. Many of the manual tasks associated with managing a CA in prior versions of Domino are automated when you use the CA process.
Migrating a certifier to the CA process To migrate an existing certifier to the CA process, you set up an Issued Certificate List (ICL) database and configure its certificate duration. In addition, for Internet certifiers, you configure CRL and key usage information for the certificate.
Adding a certifier to the CA process To manage the CA process, use Tellcommands at the server console.
Viewing certifiers running under the CA process You can view a list of all the certifiers running under the CA process.
Creating a certifier for a server-based CA You can create additional HCL Notes and Internet certifiers for your organization and configure them to use the CA process.
Creating the Certificate Requests database Each Internet certifier you create requires a Certificate Requests database (CERTREQ.NSF) to manage the server keyring file and allow users to request client certificates from the browser or through email. This database stores active certificate and revocation requests that have been submitted to the Administration Process for processing. Using a browser-based interface, servers and clients request certificates and pick up issued certificates.
Setting up TLS on a server-based CA server Because server administrators and clients use browsers to access the CA server to request and pick up certificates, use TLS to protect the CA server. When you set up the CA server for TLS, you create the server key ring file and request a server certificate. Domino automatically approves the server certificate and merges the CA certificate as a trusted root.
Signing server certificates using the Certificate Requests database A Domino administrator can request a server certificate from a server-based CA in order to enable TLS on a Domino server. The request is entered and processed in the Certificate Request database, where administrators approve or deny the request.
Modifying a server-based CA After you migrate or create a certifier, you can modify it through the certifier ICL or through the certifier document in the Domino Directory. How you open a certifier to modify it affects the number and type of changes you can make.
Viewing certificate requests Domino CAAs and RAs can view information about server and client certificate requests waiting for approval, as well as approved and rejected requests.
Revoking a certificate A CA administrator can easily revoke an Internet certificate -- for example, if the subject of the certificate leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never again be trusted.
Backing up and recovering a certifier Back up each certifier that you create, so that you can recover if there is a problem -- for example, if error messages are generated by the certifier when you issue a lo ca or tell ca refresh command.
Disabling a certifier To modify a Certifier document, you must have Editor access to the Domino Directory. Full-access administrators and administrators have this access by default; however, be sure that all certificate authority (CA) administrators also have this access.
Related concepts Setting up an Internet certificate authority TLS security Setting up Notes and Internet clients for TLS authentication
Related tasks Modifying a server-based CA Revoking a certificate Creating a certifier for a server-based CA Setting up Domino security for Internet site documents
Related reference Certificate Authority process tell commands
Related information IETF 2459 RFC - Internet X.509 Public Key Infrastructure Certificate and CRL Profile