Domino Consulting - HCL Domino Administrator 12 Help

SECURING

Rolling over cross-certificates

After you roll over a Notes® certifier, you must also roll over any cross-certificates that were signed with the issuing certifier's previous key.

About this task

If you use the ID vault, keep in mind that you must roll over any Vault Trust Certificates issued by the certifier's previous key. If you use time-based one-time password (TOTP) authentication, you must roll over any Multi-Factor Authentication Certificates issued by the certifier's previous key.

Note:

After Vault Trust Certificates or Multi-Factor Authentication Certificates are rolled over, only entities that are re-certified with the new certifier key can access the vault or can authenticate using TOTP. Therefore you should wait to roll over these certificates until the process to re-certify OU certifier IDs, server IDs, and user IDs is complete.
In Domino 12.0. and 12.0.1, rolling over Multi-Factor Authentication Certificates requires you to create new certificates using the new certifier key rather than following this procedure. For more information, see Issuing a Multi-Factor Authentication Certificate for TOTP. After you create a new certificate, delete the old one.

Procedure

1. In the Domino® Administrator, click Configuration -> Certification -> Rollover Cross Certificates.

2. In the Select Cross Certificate list, select Rollover needed. This displays a list of cross certificates that were signed with the issuing certifier's previous key, and will need to be cross-certified with the new key.

3. Do one of the following:

Rollover all -- to roll over all of the cross certificates in the list.
Rollover selected -- to roll over individual cross certificates you selected by highlighting them in the list and .

4. You can get additional rollover status information. In the Select Cross Certificate list, select one of the following:

Rollover not needed -- to display a list of cross certificates that have been signed with the issuing certifier's new key. After you have rolled over cross certificates, you can verify that the roll over was successful, because the rolled-over cross certificates will appear in this list.
Rollover not possible -- to display a list of cross certificates that were not signed with rolled over certifier's previous or new key. These certificates cannot be rolled over.

Related tasks
Certificate authority key rollover

Help on Help

All Help Contents

Help on Help

All Help Contents