IBM 2005
Table of Contents
Overview - The Domino Server-based Certification Authority ......................................... 3 Option One - Migrating a Domino certifier to the CA process .......................................... 4 Loading the CA Process after Migration ............................................................................ 7 How to use the CA Process to Register Users .................................................................... 9 Common Errors that Occur using the CA Process............................................................ 11 Option Two - Creating an Internet Certifier with the CA process.................................... 13 Setting up the Certification Requests Database ................................................................ 17 Setting up the Key Ring and Merging the Internet Certificate ......................................... 19 Manually Processing Requests ......................................................................................... 22 Configuring the HTTP Server for SSL ............................................................................. 27 Installing the Client Certificate for SSL ........................................................................... 32 Testing the Client Certificate ............................................................................................ 38 Option Three - Migrating an R5 Internet Certifier to the CA Process.............................. 40 Option Four Using the CA Process with S/MIME ........................................................ 43 Administration of the CA Process .................................................................................... 46 Overview Administrator Roles ...................................................................................... 48 CA Commands.................................................................................................................. 49 Adding Administrators to a Certificate............................................................................. 51 Disabling a Certifier.......................................................................................................... 52 Enabling a Certifier........................................................................................................... 53 Revoking a Certificate ...................................................................................................... 54 Removing a Certifier from the CA Process ...................................................................... 57 Administration Tips .......................................................................................................... 58 Encrypting the Certifier ID ............................................................................................... 59 Removing Passwords for Certifier Activation.................................................................. 62 Renaming the ICL Database ............................................................................................. 64 Confirming a CRL has run using the CA Process ............................................................ 65 Confirming Certificate Revocation................................................................................... 66 Creating a Local Copy of the Certifier ID ........................................................................ 67 Recovering a Certifier....................................................................................................... 68 Self-service resources on the web:.................................................................................... 70
IBM 2005
Consider using the Domino CA process because it: Does not require access to the Domino certifier ID and ID password. After enabling certifiers for the CA process, Administrators can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password Supports the registration authority (RA) role, which Administrators use to delegate the certificate approval/denial process to lower-echelon administrators in the organization Provides a unified mechanism for issuing Notes and Internet certificates Simplifies the Internet certificate request process through a Web-based certificate request database Issues certificate revocation lists, which contain information about revoked or expired Internet certificates Creates and maintains the Issued Certificate List (ICL), a database that contains information about all certificates issued by the certifier Is compliant with security industry standards for Internet certificates -- for example, X.509 and PKIX
CA process steps
There are four basic options when configuring the CA process: Option One: Migrating a Notes/Domino Certifier to the CA process Option Two: Creating an Internet Certifier with the CA process Option Three: Migrating an R5 Internet Certifier to the CA process Option Four: Using the CA process with S/MIME
IBM 2005
Before performing the following steps to migrate a Domino certifier, Administrators must: Have at least one OU In this document the sample OU is called West/DominoSix Check the Location document in the Domino Administration client to make sure that the Home/Mail Server field is set to the server on which is being configured for the CA process Check the Advanced tab of the ACL for the Domino Directory (names.nsf) and for the Administration Requests database (admin4.nsf) to make sure the server is listed as the Administration Server for both databases Note: If the Administration Server is incorrect for either database, this error will occur on the server console: Admin Process: Received the following error performing a Modify CA configuration in Domino Directory request on <servername>. A person document for either the requests signer or the Names(s) acted upon was not found in any local trusted directories for which this server is the Administration Server.
Step 1 2 3 4
Action In the Domino Administration client, select the Configuration tab. Expand the Tools pane and select Certification Migrate Certifier. In the Migrate Certifier dialog, click the Select button and choose the certifier id file for the OU to be migrated. Click OK. The ID path and filename should appear in the Migrate Certifier dialog:
IBM 2005
Field Label Select the server where this certifier will run on Name of the ICL database to be created
Sample Value Verify that this is the name of the server being used for configuring the CA process (Optional) The name of the ICL database that will be created can be changed to reflect the name of the certifier. There is no significance to the default name of the ICL database. Change this from Locking ID to Server ID.
In the Administrator(s) section of the Migrate OU dialog, click Add and add the servers name to the Administrators list:
IBM 2005
IBM 2005
Load ca
This command starts the CA process on the server. Administrators can also add ca to the ServerTasks= line of the notes.ini for the Domino server to load it automatically when the server is started. Note: When loading the CA Process, if an error message like the following appears on the console: CA Process ( servername/org ): No certifier configuration found for this server, the CA process cannot locate any certifiers for the CA process on this server.
The Administration Process is crucial to the CA process task. After typing tell adminp process all, open the Administration Requests database (admin4.nsf). Select the All Requests by Server view and notice a document has been created to modify the CA configuration:
The response document (with the green checkmark) indicates that the request has been successfully processed by adminp.
Tell ca refresh
Tell ca status
After entering the tell ca status command, the migrated certifier will be listed as a part of the CA process. [We will discuss the information given by the tell ca status later in this document.]
IBM 2005
After the migration request is processed, a CA Configuration tab is added to the document:
IBM 2005
Step 1 2 3
Action Expand the Tools pane on the Configuration tab of the Administration client. Expand Registration and select Person. If prompted for a password, click Cancel. Choose Use the CA Process and then select the certifier in the CA configured certifiers drop-down list. Click OK:
Note: Anyone with RA status for that certifier can then register a person without having access to a certifier ID.
Step 1 2
Action Launch a browser and enter the URL for the Web admin client: http://YourFullyQualifiedInternetServername/webadmin.nsf. Select the Configuration tab. Continued on next page
IBM 2005
Note: Notes users registered with the CA process are not documented in the CERTLOG.NSF database. The $UpdatedBy field in the Person document may contain their name, but the number of entries in that field is limited.
IBM 2005
10
RA errors
Using the Domino Web Administrator requires that both the Web Administrator and the server must be listed as RAs. Recall that we listed the server as an RA earlier in this module. If the server is not listed, this error message will appear:
Unable to perform registrations: You are a Registration Authority of the CA configured certifier /West/DominoSix, but the current server is not. In order to perform registrations, this server also needs to be trusted as an authorized Registration Authority.
User errors
When registering a new person using the CA process, the certificate for the person will be attached to that users Person document in the Domino Directory. When the user attempts to log in, the new certificate is downloaded to the users ID file, completing the user registration. The user will be unable to successfully log in before the certificate has been issued, and any attempts to do so will result in this error message:
Server Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later.
Or if the user is trying to complete workstation setup, the error will be:
The encrypted data has been modified or the wrong key was used to decrypt it.
In both cases, administrators will need to keep in mind that the CA process has to run, the Administration process (the Recertify user in the Domino Directory request) has to run, and replication must take place to the proper Domino Directories. Continued on next page
IBM 2005
11
-orServer Error: Your certificate has not yet been signed by the Certificate Authority. Please try again later.
This situation can arise when many users are registered and the administration process completes before the Person document is updated. See Technote 1174391 for details.
IBM 2005
12
process
Introduction
The second option when configuring the CA process is to create an Internet certifier. After creating the Internet certifier, the server must be configured to use the certifier. This process involves the following: Creating the certificate requests database Creating the server key ring file and merging the Internet certificate Configuring the HTTP server for SSL access Installing the Client certificate for SSL
A certificate authority (CA) is the link that allows a server and client to use SSL to communicate and to use S/MIME to exchange mail. Like a mutual friend, a CA vouches for the identity of a server and client by issuing Internet certificates that are stamped with the CAs digital signature. The digital signature ensures the client and server that both the client certificate and the server certificate can be trusted. If the client and server authenticate that is, identify the digital signature on the certificate they can establish a secure SSL session or exchange a secure S/MIME message. If the client and server cannot authenticate each other, they cannot establish a secure session or exchange a secure message. The server certificate must contain the CA certificate as a trusted root. The trusted root allows servers and clients that have a common CA certificate to communicate. Before merging a server certificate signed by a CA, merge the CA certificate into the key ring file as a trusted root.
Before creating an Internet certifier with the CA process, check the following: The server should be listed as the Administration server in the Advanced tab of the ACL in the Domino Directory and the Administration Requests database (admin4.nsf) On the Basics tab of the server document, make sure that the field Fully qualified Internet host Name is correct, for example, server1.acme.com.
Step 1 2
Action From the Administration client, select the Configuration tab. Expand the Tools pane, expand Registration and select Internet Certifier. Continued on next page
IBM 2005
13
4 5
Click OK. In the Register New Internet Certifier dialog, click Create Certifier Name:
IBM 2005
14
The rest of the fields are not required. If they are filled out, they make the name of the certifier more complex. Note: A more complex name might be used for specifying different locations for one company. For example, all the certifiers might have the same Common Name, but the Organization Unit, City or Locality, State or Province, or Country might be different. This Creating certifier dialog should reappear with the name of the certifier in the title bar, such as: Creating certifier (CN=North). Change the Encrypt certifier ID with field to Server ID. Make sure that your administrator is listed as an RA and CA:
7 8
IBM 2005
15
10
Open the Administration Requests database (admin4.nsf) and expand the All requests by server view. There should be a newly created document for the certifier under Modify CA Configuration in Domino Directory. When opened, the document should look like the following:
11
Close admin4.nsf and enter the following commands at the server console:
Tell adminp process all Tell ca refresh Tell ca status
There should now be two certifiers listed as part of the CA process. The status command gives us the information we need to identify the certifiers within the CA process. Each certifier has a number which is used for many of the tell commands. For more information, see the section in this document called Certificate Authority Process Tell Commands. For example:
The first certifier is the West certifier. It is a Notes certifier that has been migrated to the CA process. The third line indicates that the certifier is active. The fourth line gives the path and database name for the ICL database related to this particular certifier. Also listed is the certifier just created, North, which is of certifier type Internet.
IBM 2005
16
Step 1 2
Action From the Administration client choose File Database New. Enter the following in the Specify New Database Name and Location section of the New database dialog: Field Label Server Title File name Sample Value Choose the server. Enter a database title, for example, Certificate Requests for North. Enter a database file name, for example, certreqNORTH.nsf. Keep in mind that each certifier must have its own database so the file name should be easily identifiable.
Enter the following in the Specify Template for New Database section of the New database dialog: Field Label Server Template Sample Value Choose the server. Select the Show advanced templates option and select Certificate Requests (6).
4 5 6
Click OK. Close the About this database document. Enter the following information in the Database Configuration document: Field Label Server Certifier Supported Certificate types Extended key usages Requesting Process Sample Value Your hierarchical server name CN=North Both client and server certificates
Server and client authentication Manual (So that we can step through the RA approval function)
IBM 2005
17
Note: This page contains client certificates that by default are issued for only one year. Administrators may wish to extend this time period.
IBM 2005
18
Step 1
2 3
Action Open the Domino administration client, select the Files tab and locate the Certification Requests database, for example, certreqNorth.nsf. Open the database. Expand the view Domino Key Ring Management and select Create Key Ring. Enter the following properties in the Create Key Ring document:
Field Label Key Ring File Name Key Ring Password Key Size Common Name Organization
Note: The remaining fields on the form are optional. Click Create Key Ring. Continued on next page
IBM 2005
19
Note: By default, the key file is created in the data directory of the client, not the server. Those files will be moved to the server later in this document. After clicking OK, there will be a prompt to merge the Internet certificate into the key ring. Confirm that the information is correct and click OK:
IBM 2005
20
Click OK at the dialog containing the message: Certificate Request Successfully Submitted for Key Ring.
IBM 2005
21
Processing Requests
Step 1 2
Action Open the Certification Request (certreqNorth.nsf) database. Expand the Submitted/Waiting for Approval view. A pending Server Request should appear. Press F9 if it is not visible:
3 4 5
Select the document and click Submit Selected Requests. Click OK at the dialog: Successfully submitted 1 request(s) to the Administration Process. Examine the Server Request. It should have a status of submitted:
6 7 8
Open to the Administration Requests database (admin4.nsf). Make sure the CA process is loaded on the server. Expand the Certification Authority Requests view and select Certificate Requests:
Note: This step has to be performed by someone that has been granted RA access to this Internet Certifier. Continued on next page
IBM 2005
22
12 13 14
Note: The reason for the cross certify request is that the document signature is not the Organization (DominoSix), but rather the Internet Certifier, North. Notes always checks document signatures, so unless the Internet Cross Certificate is in your local address book, the prompt for the cross certificate will occur each time an attempt is made to use the North certifier. The first time this is accessed, Administrators may want to choose the appropriate Domino certifier for your server. The Internet Cross Certificate will then be dropped into the Domino Directory and any administrator that might need the cross certificate can download it by using Actions Retrieve Certificates from Home Server in the Notes client. Continued on next page
IBM 2005
23
16
To see the certificate in your address book, open the local address book, expand the Advanced view and select the Certificates view:
17
Open the Issued/Rejected view of the Certification Requests database. Locate the Server request document:
18
19
In the same database, choose Domino Key Ring Management Pickup Key Ring Certificate. Continued on next page
IBM 2005
24
21
Verify the information in the Merge Signed Certificate Confirmation dialog and click OK:
22
IBM 2005
25
IBM 2005
26
Enabling SSL
To enable SSL on the server: Step 1 2 Action In the Administration Client, select to the Configuration tab. Expand Server and select Current Server Document. Edit the document and select Ports Internet Ports. By default, the file name keyfile.kry should be already filled out. Enter values on the Web tab as in the example below:
Switch to the server console and enter the command: tell http restart.
Verifying SSL
To verify the SSL configuration: 1 2 Create a database on the server with the file name of web.nsf. Use the discussion or document library templates. When the database opens, check the ACL and make sure that Anonymous is set to No Access. Give at least Author access to a user for this test. Continued on next page
IBM 2005
27
IBM 2005
28
7 8
9 10 11
At the Completing the Certificate Import Wizard dialog, click Finish. Click OK on the message: The import was successful. Click Yes on the Security Alert:
IBM 2005
29
13 14
Enter the name and password and click OK. When using certain templates (for example, the discussion or document library templates) a Security Information dialog will appear:
15
To see the padlock in the browser to prove that SSL is working, click No. Otherwise, click Yes, which means that some of the information on the page will not be encrypted. The view for the database should appear and, depending on which JVM is being used, users may receive this dialog (for the Microsoft JVM, there would be no prompt):
IBM 2005
30
20 21
Click Close to accept the certificate into the JVM and then click Always on the previous dialog box which will reappear. It is possible to receive more requests to trust certifiers depending on the JRE that is being used. Once the users have accepted those requests, the SSL connection will be made.
Note: When only Server Authentication is enabled on the Domino server, the servers identity is authenticated by a client, but the clients identity is not authenticated by the server. For the Internet client to authenticate the servers identity, the client checks the public key in the Domino servers Internet certificate and verifies that the Domino servers CA is marked as a trusted root in the browser. When server authentication AND client authentication are both enabled on the Domino server, the servers identity is authenticated by a client and the clients identity is authenticated by the Domino server. For the server to authenticate the clients identity, it checks the Person document in the Domino Directory that contains the SSL public key from the client certificate. The same Person document also lists the names that a Domino server can use to authenticate the Internet client.
IBM 2005
31
Installing Certificates
Step 1 2 3
Action Access the Certificate Requests database from a browser using the URL: http://FullyQualifiedInternetHostName/certreqNORTH.nsf. Click Request Client Certificate. Fill out the following fields: --Your Full Name --At least one other name component, for example, Organization --In the return e-mail field use a fake address for this example.
Click Submit Certificate Request and this dialog box should appear:
6 7
Leave the browser open and return to the Notes Administration Client. Switch to the Files tab and open certreqNORTH.nsf. Continued on next page
IBM 2005
32
10
11
Click OK. The new client request should change from Pending Submission to Administration Process to Submitted to Administration Process in the twisty title:
12
Note: This step would be skipped had Automatic been selected in the configuration of the Certificate Request database. If the Certificate Request database were configured to automatically submit requests, Adminp would drop the request automatically into the admin4.nsf (every five minutes), where the following steps are then taken: Step 1 Action Open admin4.nsf and expand the Certification Authority Requests view. Select Certificate Requests:
2 3 4
Open the new request and click Edit Request. Click Approve Request. In admin4.nsf, the document status should change to Approved:
13
The server console should indicate that the certificate has been processed:
IBM 2005
33
15
Note: This step would be skipped if Automatic had been selected in the configuration of the Certification Request database. Automatic processing moves the approved request back to the Certificate Request database every five minutes. A confirmation that the request was successfully pulled will appear:
it is very likely that the CA process is not loaded on the server. Once the CA process is loaded the certificate should process:
16
Check the users Person Document in the Domino Directory. The Administration Process adds information concerning the new Internet Certificate:
IBM 2005
34
18
Double-click the certificate and copy the Request ID to the clipboard in order to pickup the certificate in the browser:
19
Return to the browser and click Pick up Client Certificate. Paste the Request ID from the Certificate Pickup document in the Certificate Requests database:
20 21
IBM 2005
35
23
Step 1 2
Action View the Internet Certificate in IE by selecting Tools Options. Select the Content tab and click Certificates:
Internet
IBM 2005
36
In this case, when the user copies the top URL in the e-mail to a browser, they get to this screen:
This process eliminates steps for the end user and makes the process less confusing. Note: If Automatic process is chosen for the Certificate Requests database, make sure the signer of the agents is listed in unrestricted methods and operations in the Security tab of the server document.
IBM 2005
37
Step 1 2
Action In the Server document, select Ports Internet Ports. Choose Yes for Client certificate. This will force the server to request client certificates:
3 4 5
Recycle the http server by entering the command: tell http restart. Use the browser to open the database created earlier: https://FullyQualifedInternetHostName/web.nsf. This dialog should appear:
Click OK. If the client certificate has not been successfully imported, there will be no certificate to select in the dialog. Click on View Certificate to see the North Internet certificate:
IBM 2005
38
IBM 2005
39
Migrating an R5 Certifier
Step 1 2 3
Action From the Administration client, select the Configuration tab. From the Tools menu click Migrate certifier. Click the Select button and choose the CAKey.kyr file for the certifier to be migrated. Choose Select:
IBM 2005
40
5 6 7 8 9
Click OK. Click OK on the Success: A newly created, migrated or recovered certifier will be available dialog. This process creates two requests in the Administration Requests database. Open admin4.nsf and select the Requests All requests by server view. Look for the Modify CA Configuration in Domino Directory document:
There should also be a Store Certificate Revocation List in Domino or LDAP Directory document:
IBM 2005
41
11
When creating an Internet certifier, two adminp requests are created -one to create the certifier record, one to store the crl. The error indicates that the one that stores the crl was trying to execute before the certifier document was created so the request will be performed at a later time. The process will complete automatically, or to help it along type tell adminp process all and tell ca refresh at the server console. From the server console, issue the command: tell ca status. The results will show that the Internet certifier has been migrated:
12
To view the certifier document that is created, switch to the Certificates view on the Configuration tab of the Administration client to see the document for the certifier:
IBM 2005
42
S/MIME Defined
S/MIME stands for Secure Multipurpose Internet Mail Extension. S/MIME is a secure e-mail standard based on an e-mail standard called MIME. S/MIME does not play a key role in standard Notes e-mail. Notes uses its own features to protect Notes Mail. However, not everyone is in a Notes environment. Domino administrators use the CA process to automatically issue x.509 certificates to Notes users, allowing them to use S/MIME without having to acquire digital IDs on their own. To do this, the Domino administrator selects Person records from the Domino Directory and chooses Actions Add Internet Cert to Selected People. The Administration Process then issues an Internet certificate for each user based on the public key stored in the Person record. When the user next authenticates with their home server, the certificate is automatically added to the user's ID file. A Notes user ID file can store both Notes and Internet certificates. Notes certificates are always present, but Internet certificates must be issued by Domino administrators. There is an automatic process in the Domino Directory to issue Internet certificates.
Adding certificates
Step 1 2
Action From the Domino Administrator, select the People & Groups tab. Expand the People view. Select the names of the users who need Internet certificates. Note: All Notes users must have valid Internet addresses specified in their Person documents. Choose Actions Add Internet Cert to Selected People. Select the correct registration server, which appears at the top of the dialog next to the Server button. Choose the option to use the CA process. Choose the Supply the certifier key ring file and password option to use the flat CA's key ring file. In the Add Internet Certificates to Selected Entries dialog, confirm that the expiration date is valid. Change the date, if necessary. Continued on next page
3 4 5 6 7
IBM 2005
43
10 11
Open the Administration Requests database. In the Administration Requests database the request will appear in two different places. Select Certification Authority Requests Certificate Requests to see the issued certificate:
12
Select Requests All Requests by Server to see the request to store the certificate in the Domino Directory:
IBM 2005
44
Note: The next time the user accesses their mail file or opens any database on the server, Notes recognizes that there is a certificate in the Person document that is not in the user's ID file. That certificate is then automatically placed in the user's ID file.
Viewing certificates
Step 1 2
Action From the Notes client, select File Security User Security Identity Your Certificates. Select Your Internet Certificates from the drop down list:
Your
Click Close.
IBM 2005
45
ICL database
The core of a CA certifier is the Issued Certificate List (ICL) database created when the certifier is created or migrated to the CA process. Each certifier has its own ICL database. The ICL stores a copy of each unexpired certificate it issued, certificate revocation lists (CRLs), and CA configuration documents. Configuration documents are generated when the certifier is created and signed with the certifier's public key. After creating these documents, They cannot be edited. CA configuration documents include: Certificate profiles containing information about certificates issued by the certifier. A CA configuration document containing information about the certifier. RA/CA association documents containing information about the RAs who are authorized to approve/deny certificate requests. (There is one document for each RA). An ID file storage document containing information about the certifier ID. The Certifier document which is created in the Domino Directory when the certifier is set up. This document can be modified.
CRL database
One of the big advantages to using the CA process for SSL is the CRL. A CRL is a time-stamped list identifying revoked Internet certificates (only Internet certificates) -for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier's ICL database. To find the list of revoked certificates, hold down the CTRL and SHIFT keys while opening the appropriate ICL database. The $RevokedCerts view contains a list of revoked certificates.
A copy of the CRL is also stored in the Domino Directory, where it is used to assert certificate validity by entities that require certificate authentication. Users wishing to check a CRL would access the CRL in the Domino Directory by opening the CA's certifier document. CRLs can be used to manage the certificates issued in your organization. Certificates can easily be revoked if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. Internet Site documents can be used to configure Internet protocols on the Domino, and can also be used to enable CRLchecking for each protocol. Continued on next page
IBM 2005
46
CRL types
There are two kinds of CRLs: regular and non-regular. For regular CRLs, Administrators configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued. However, in the event of a critical security break -- for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised the administrator can manually issue a non-regular CRL -- that is, an unscheduled CRL -- to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. Use a Tell command to issue a non-regular CRL.
Purpose of a CA database
The original intent is for all applications to refer to this attachment for ca configuration information in order to support lockbox model of the certifier. Under the lockbox model, administrators can put the icl database and the ca process on a dedicated machine in a secure location. This machine is not connected to the network for ultimate security. The attachment database in the certifier record does not contain the idstorage document. This database is a subset of what icl contains. It only contains the active set of CA configuration settings (RA-CAA association, and the certificate profile documents.) Changes occur on the icl database first, and then a request is dropped into admin4.nsf by the CA process. This request is processed and the certifier document is updated.
IBM 2005
47
CA admins
The CAA and RA roles are discussed below: Admin CAA- Certificate Authority Administrator Function The Domino certificate authority administrator (CAA) is responsible for these tasks: Create and configure certifiers. Modify certifiers. For example, only a CA administrator can edit ID recovery information for a Notes certifier. Add or remove CA and RA administrators, or change the CA and RA roles assigned to users. The CAA must have at least Editor access to the master Domino Directory for the domain. As a best practice, designate at least two CAAs for each certifier since the CAA is the super power administrator that manages the CA process. With two there is then a backup if one leaves the organization. By default, the administrator who creates a certifier is automatically designated as both a CAA and an RA for that certifier. Note: In much of the client User Interface (such as the Modify Certifier Tool) the CAA is listed as the CA. All certificate requestsNotes and Internetmust be signed by an authorized administrator, or RA, before the CA process will sign certificates. Remember that the RA does not need access to the certifier ID file; only the CA process needs to have access to the certifier ID file. Since there can be many RAs, more administrators can be granted rights without having to compromise the security of the certifier ID file. The Domino Registration Authority (RA) administrator is responsible for these tasks: Register users, servers, and additional Notes certifiers Approve or deny Internet certificate requests. Revoke certificates if they can no longer be trusted, such as if the subject of the certificate leaves the organization, or if the key has been compromised. Note: RAs must have at least Author access to the master Domino Directory for the domain, with both the privilege "Create document" and role "User Creator" enabled. The RA has the access to handle day to day operations; registration of users, approve/deny certificate requests.
IBM 2005
48
CA Commands
Introduction
Administration of the CA process uses several console commands that are listed here for your reference.
CA tell commands
Result Stops the CA process. Displays summary information for the certifiers using the CA process; this includes the certifier's number, its hierarchical name, certifier type (Notes or Internet), whether it is active, and name of the ICL database:
Display a list of pending certificate requests, revocation requests, and configuration modification requests for a specific certifier, using its number from the results of the "tell ca status" command. Administrators can also use * to show this information for all certifiers that are using the CA process:
Activate a certifier if the certifier is created with "Require password to activate certifier," or use this for any certifier that has been deactivated. Activation is enabled during CA setup and creation. Activate a specific certifier by entering its number from the results of the 'tell ca status' command. Or unlock all server ID/password-protected certifiers at one time with this command by specifying "*" for the certifier number. The CA process then prompts for the password for each certifier. Deactivate a certifier. Use * to deactivate everything, or deactivate a specific certifier by entering its number from the results of the 'tell ca status' command. Lock all certifiers that were set up with a lock ID, as specified during CA setup. Continued on next page
IBM 2005
49
CA Commands, Continued
CA tell commands (continued)
Command tell ca unlock idfile password tell ca CRL issue certifier number Result Unlock all certifiers using the ID and password that comprise the lock ID. The lock ID is specified during CA setup. Issue a non-regular CRL for a specific certifier, where certifier number is the number of the certifier specified in the results of the "tell ca status" command: Push a certifier's latest regularly scheduled CRL to the Domino Directory, where certifier number is the number of the certifier specified in the results of the "tell ca status" command: Display CRL information for a specified certifier, where certifier number is the number of the certifier specified by the 'tell ca status' command. Use s or S for regularly scheduled CRLs, and n or N for non-regularly scheduled CRLs:
tell ca refresh
tell ca help
Force the CA process to refresh its list of certifiers. As a result: newly configured certifiers will be added to the CA process previously unlocked certifiers will need to be unlocked again previously activated certifiers may need to be activated again, if the activation password has changed the Notes certifier ID file in idstorage will be updated with the latest certificate information (IDStorage is the name of the document in the ICL database that holds the ID for the certifier.) List tell ca options
IBM 2005
50
Step 1 2
Action Switch to the Certificates view in the Configuration tab of the Administration client. Open the certifier document and click Edit Certifier. Click Modify CA Configuration:
In the above example we added user West Admin to the CAA role. Click on Submit and the new person is processed on the server console:
Note: There has been a reported issue that adminp rename is not updating the RAs or the CAAs in the ICL database. The RA loses ability to perform all functions unless they are removed and re-added to the list. For details, see Technote 1173494 in the Knowledge Base.
IBM 2005
51
Disabling a Certifier
Introduction
To disable an Internet certifier, remove it from the server-based CA Process.
Disabling Certifiers
Step 1 2 3 4
Action Using the Administration Client, switch to the Configuration tab and select the Certificates view. Choose the certificate to be disabled and open it. Click Edit Certifier or double-click the document to edit it. Switch to the CA Configuration tab. Change the value in the Process Enabled field to No:
5 6
Click Save & Close. The change will take place automatically the next time the ca refresh process runs (every twelve hours). To immediately apply the change, use the tell ca refresh command at the server console. Use tell ca status to see if the certifier has been removed- see below that the North certifier was removed, leaving only the West certifier:
This can also be confirmed this by opening the Certifier document. Once the certifier is disabled, the CA Configuration tab is removed:
IBM 2005
52
Enabling a Certifier
Introduction
In some cases, Administrators may need to re-enable a disabled Internet certifier.
Enabling certifiers
Step 1 2 3 4
Action Using the Administration Client, switch to the Configuration tab and open the Certificates view. Select the certificate that to disable and open it. Click the Edit Certifier button. Click Enable for CA Process:
5 6
At the dialog CA Process is now enabled click OK. The change will take place automatically the next time the ca refresh process runs (every twelve hours). To apply the change immediately, enter tell ca refresh at the server console. Use tell ca status to see if the certifier has been added to the list- see below that North is once again listed as active:
Note: Adminstrators can also repeat the CA migration process to enable a certifier; however, this creates a new ICL database.
IBM 2005
53
Revoking a Certificate
Introduction
A CA administrator can easily revoke an Internet certificate if the subject of the certificate leaves the organization, or if the key has been compromised. After a certificate is revoked, it can never again be trusted. If Administrators revoke a certificate, especially if a key has been compromised, issue a non-regular CRL so that any entity checking CRLs has the most updated revocation information.
Revoking certificates
To revoke a certificate:
Step 1 2 3 4 5
Action From the Domino Administrator, select the Files tab. Open the ICL directory. From the list of ICL databases, open the ICL for the certifier that issued the certificate to revoke. Select the Issued Certificates\By Subject Name view. Open the Issued Certificate document for the certificate to be revoked. The document name is the same as the subject name. In this case we will be revoking the certificate for Test User/DominoSix:
In the Revocation Reason dialog box, select the reason for revoking the certificate, and click OK:
IBM 2005
54
10
In the administration Process database under Requests All requests by Server, the document called Remove Certificate from Domino or LDAP Directory indicates the certificate has been removed:
11
In the administration Process database under Certification Authority Requests Revocation Requests is a RevocationCAAccepted document for each revoked certifier:
IBM 2005
55
Note: Even publishing the non-regular CRL does not guarantee immediate revocation, because CRL users may continue to use cached copies of a CRL until it expires. It is important the administrators set a reasonable schedule for publication and expiration of CRLs. By default, Domino publishes a CRL on a daily basis, and each CRL has a lifetime of two days. Decreasing these intervals allows for more immediate revocation, at the cost of increased network and directory load as CRL caches are refreshed more often.
IBM 2005
56
Removing certifiers
Step 1 2
3 4 5
Action At the server console issue the command tell ca quit. In the Administration client select the Configuration tab. Select Certificates Certificates and open the certifier certificate to be removed. On the CA Configuration tab set Process Enabled to No. (Optional) Delete the CFG attachment from the certifier document. From the Administration Client, select the Files tab and open the ICL folder. Remove the corresponding ICL database by right-clicking the file name and selecting Delete database. O the Files tab, right-cick the Certificate Requests database and select Delete database. Note: To confirm if this is the correct database: Open the database and select the Database Configuration view. The common name of the certifier is in the Supported CA field:
To confirm the certifier has been removed from the CA process, issue the command tell ca stat from the Domino server console. The certifier will not be present in the list.
IBM 2005
57
Administration Tips
Introduction
This section describes general tips for CA process administrators.
Modifying certifiers
There are two ways to modify a certifier. Both can only be done by a CAA: Via certifier document. The only modification that can take place is that the CAA and RA fields can be modified. Via the administration client using Modify Certifier. Administrators can perform any modifications using this method.
General tips
Certificate requests in admin4.nsf can be marked not to be deleted. Administrators may want to periodically archive those documents. When using the web client the password for tell ca unlock and tell ca activate commands are transmitted in plain text so it is a good idea to make sure that all communication is over SSL. For the error: Cannot locate user certificate. Make sure server contains your certificate for encryption during creating/migrating/modifying a certifier, check the Notes client Location document. The Mail file location should be Server, not Local.
Notes.ini settings
CA_REQUEST_POLL_INTERVAL= # of seconds, 10 seconds by default. Time waited before processing certificate requests, revocation requests, and modification to certifier requests. CRL_REQUEST_POLL_INTERVAL= # of seconds, 300 (or 5 minutes by default). The time between the scheduled running of the push and issue tell commands. CA_UPDATE_INTERVAL= # of hours, default is 12 Only works with Notes certifiers. In Notes, the certifiers keep track of the latest certificate tables for that certifier. May be some recovery information which could change.
IBM 2005
58
Server ID
Encrypting with the Server ID is the lowest form of Security, but also the least secure. There are no additional actions to activate or unlock the certifier. This is the option used earlier in this document.
Password to activate
Step 1
Action Check the Require password to activate option and enter a password for the certifier:
The newly migrated certifier will be listed, however, it will not be active:
Use the command tell ca activate [ 3 ] password to activate the certifier. Tell ca status shows that the certifier is active:
Note: Encrypting a certifier ID with the password protected Server ID option protects only that certifier. With a Locking ID, multiple certifiers can be protected. Continued on next page
IBM 2005
59
Choose the user id to use to lock the certifier and click OK:
3 4
The users id appears next to the Locking ID button: Switch to the server console and enter:
tell adminp process all tell ca refresh tell ca status
IBM 2005
60
to the file:
Note: With the Locking ID, all of the certifiers that were locked with that ID will activate all at once.
IBM 2005
61
Step 1 2
Action From the Administration client, click Modify Certifier in the Tools bar. Choose the Issued Certificate List (ICL) database radio button and then click Select:
Open the directory holding the ICL databases. Choose the ICL database for the certifier to be changed:
Once the database has been selected, the file name will show on the Modify Certifier dialog:
IBM 2005
62
6 7 8
Change this option to Server ID and click OK. Click Yes at the warning: This process will modify the current certifier information Click OK on the Success dialog. The change made can be seen in the admin4.nsf Requests All requests by Server view:
The next time the server is started the certifier should be activated without requiring a password. This also works with the Require Password to Activate option.
IBM 2005
63
Renaming ICL
To rename the ICL database: Step 1 2 3 Action Shut down the CA process on the server using the command tell ca
quit.
In the Administration client, select the Configuration Tab, expand the Certificates view and open the Certifier document. Take note of the value in the ICL Path field on the CA Configuration tab. It will be used in later steps:
4 5 6 7
8 9
10 11 12 13 14 15 16
The ICL Path field is a computed field and cannot be changed directly. It must be changed (the field type) in the Designer client. Close the Certifier document. Launch the Domino Designer client. Open the Domino directory. Open the form called Server/Certifier and go to the CA Configuration tab. Change the value of the ICL Location field from computed to editable. Save the change and close the Designer client. Switch to the Administration client. Select the Configuration tab and expand the Certificates view. Open the certifier document again. Enter the new name of the database in the ICL Path field. Save and close the document. In an Explorer window, browse to the location of the ICL database. Using the name from the original ICL Path entry, rename the file. Reload the CA process task using the command: Load ca. The CA process should initialize the certifier and the process should be complete. In the Design client, change the ICL Location field from editable back to computed. Restart the Administration client to see the new database name under the Files tab.
IBM 2005
64
Certifier document
In the Certifier document in the certficateRevocationList field. This information is not in a readable format, nor is there any tool to annotate or translate that information.
ICL database
To see the CRLs that have been processed, navigate to the ICL directory (by default Lotus >> Domino >> data >> icl) and hold down the CNTR & Shift keys when opening the ICL database. In a view called $CRLView there is a list of all of the CRLs. In the first column a "1" means the CRL was a scheduled CRL. A "2" in that column indicates a non-regular CRL was issue. The second column has the date and time of the CRL.
Server console
The server console can also be used to view the most recent CRL using the server console command "tell ca CRL info [certifier number] [s/S/n/N]." Assuming that the CRL is issued for is the second certifier listed in a tell ca status, then: Use "tell ca crl info 2 s" to view the most recent scheduled CRL. The "s" or "S" stands for "scheduled." The output from the console looks like this:
> tell ca crl info 2 s 03/17/2005 01:55:21 PM 03/17/2005 01:55:21 PM 03/17/2005 01:55:21 PM 04:06:27 PM CA show latest scheduled CRL for CN=North: Issue Date: 03/16/2005 04:06:27 PM Next Schedule On or Before: 03/18/2005
Use "tell ca crl info 2 n" to view the most recent non-scheduled CRL. The "n" or "N" stands for non-scheduled. The output from the console looks like this:
> tell ca crl info 2 n 03/17/2005 01:31:43 PM CN=North: 03/17/2005 01:31:43 PM 03/17/2005 01:31:43 PM 04:06:27 PM CA show latest non-scheduled CRL for Issue Date: 03/17/2005 01:26:22 PM Next Schedule On or Before: 03/18/2005
IBM 2005
65
Console commands
Assuming that the issued a CRL for is the second certifier listed in a tell ca status, then: Use "tell ca crl info 2 s" to view up to ten revoked certificates from a regularly scheduled CRL. The "s" or "S" stands for "scheduled:"
> tell ca crl info 2 s 03/17/2005 01:55:21 PM CA show latest scheduled CRL for CN=North: 03/17/2005 01:55:21 PM Issue Date: 03/16/2005 04:06:27 PM 03/17/2005 01:55:21 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM 03/17/2005 01:55:21 PM 1 Revoked Certificate: 03/17/2005 01:55:21 PM 0. Certificate #: 6d4081b52027b0bcd08e7b53072382e9d2cb9a8a
Use "tell ca crl info 2 n" to view up to ten revoked certificates from a non-regularly scheduled CRL. The "n" or "N" stands for "non-scheduled:"
> tell ca crl info 2 n 03/17/2005 01:31:43 PM CA show latest non-scheduled CRL for CN=North: 03/17/2005 01:31:43 PM Issue Date: 03/17/2005 01:26:22 PM 03/17/2005 01:31:43 PM Next Schedule On or Before: 03/18/2005 04:06:27 PM 03/17/2005 01:31:43 PM 2 Revoked Certificate: 03/17/2005 01:31:43 PM 0. Certificate #: 48ed9237a769bff0d14b3742887e2a5563cc240e 03/17/2005 01:31:43 PM 1. Certificate #: 583eb8f6857484e728b14673dbd52ad071506ff2
In the output, the Certificate # is the Serial Number from the Issued Certificate in the ICL database for the user. Note: For information on revoking an Internet certificate, see the Domino Administrator help database.
IBM 2005
66
Step 1
Action From the Domino Administrator client, select the Miscellaneous tab and click Create a local copy of the certifier ID:
Click Set ID File to specify the certifier ID file name and enter the password:
3 4
Click OK. A copy of the certifier ID is saved to the default path: \notes\data\ids\certs\cert.id , but Administrators can select a different path. Use this local copy of the certifier ID as a backup to re-create the certifier if it becomes corrupted.
IBM 2005
67
Recovering a Certifier
Introduction
In certain circumstances, Administrators may need to recover a certifier.
Recovering a Certifier
To recover a certifier:
Step 1 2 3 4
Action From the Administrator client, select the Configuration tab. In the Tools pane, choose Certification Modify Certifier. Select the CA server from the list, and click OK. Select the certifier to recover by doing one of the following: Select the certifier document from the Domino Directory Select the certifier ICL database
Administrators may be prompted for the certifier ID and password. Enter the path and filename for the local copy of the ID created when the certifier was first set up, and click OK. Note: The prompt for the certifier ID occurs only if the certifier determines that it cannot proceed without it. Continued on next page
IBM 2005
68
Note: If the certifier is still having problems -- for example, configuration documents are corrupted or missing -- replace the ICL database with the back up copy. The location of the ICL database is specified in the certifier document.
IBM 2005
69
This product support page offers the latest troubleshooting resources, patches, product Flashes, and other important content specific to Lotus Domino. http://www.ibm.com/software/lotus/support/domino/support.html
developerWorks: Lotus
This page offers IBMs technical resources for Lotus Domino developers, such as articles. developerWorks: Lotus http://www.ibm.com/developerworks/lotus Notes and Domino http://www.ibm.com/developerworks/lotus/products/notesdomino
The Notes/Domino 6 discussion forum is an excellent source of information regarding Notes and Domino issues. The questions and answers posted by your peers can be quite helpful when you are researching an issue, sometimes preventing the need to submit a problem to software support! http://www.lotus.com/ldd/nd6forum.nsf
Product documentation
The documentation web page offers the latest Release Notes, Help files, White Papers, etc. for Lotus Domino. http://www.lotus.com/ldd/notesua.nsf/find/domino
IBM 2005
70