SECURITY
Certifiers can also issue trusted root certificates, which allow clients and servers with certificates created by different CAs to communicate with one another.
Note It's important to distinguish between IBM® Lotus® Notes® certifiers and Internet certifiers. When you install and set up the first IBM® Lotus® Domino™ server in a domain, a Lotus Notes certifier is automatically set up to issue Lotus Notes certificates to Lotus Notes clients. These certificates are essential for Lotus Notes clients to authenticate with a Lotus Domino server and for Lotus Domino servers to authenticate one another. Hence Lotus Notes certifiers are important even in an environment with all Web clients. An Internet certifier, such as those discussed here, issues Internet (X.509) certificates, which are required for secure communication over the Internet. You set up Internet certifiers on an as-needed basis.
Choosing the right Internet certifier for your organization
You have several options for setting up an Internet certifier for your organization (for the rest of this topic, all references to certifier mean 'Internet' certifier). You can use a third-party commercial certifier, such as VeriSign, or you can use one of the two types of Lotus Domino Internet certifiers. There are advantages and disadvantages involved with each type of certifier; the choice you make should be determined by business requirements of your organization, as well as the time and resources available for managing the certifier.
Internet certifiers: Domino vs. third-party
It is possible to have both types of certifiers -- CA process and CA key ring -- in a domain. However, you must be careful not to have one certifier that uses both a key ring and the CA process to issue Internet certificates. A CA process-enabled certifier tracks the certificates that it issues in an Issued Certificate List, a database accessible to all servers in a domain. On the other hand, a key-ring-style certifier creates logs on whatever workstation on which it is used, so there is no centralized list of issued certificates (just multiple partial lists). Therefore, any certificates issued using the CA process won't be recognized by a CA key ring, just as any certificates that were created using a CA key ring file won't be recognized by the CA process.
This is a problem for Internet certifiers especially, because it is possible to revoke Internet certificates in server-based certification authorities. To revoke an Internet certificate, however, you must select it in the ICL. If the certificate was initially issued using a key ring, it won't appear in the ICL, so it cannot be revoked.
Therefore, it is strongly advised that you choose one way to operate -- CA process or CA key ring -- for each certifier.
See also