Lotus Domino Administrator 8 Help - Migrating a certifier to the CA process

SECURITY

Migrating a certifier to the CA process
To migrate an existing certifier to the CA process, you set up an Issued Certificate List (ICL) database and configure its certificate duration. In addition, for Internet certifiers, you configure CRL and key usage information for the certificate.

1. From the IBM® Lotus® Domino™ Administrator, click Configuration.

2. On the Tools pane, choose Certification - Migrate Certifier.

3. In Migrate Certifier dialog box, click Select.

4. In the "Chose ID/key ring file" dialog box, select the cert.id of the certifier you want to migrate.

Choose the certifier ID (CERT.ID) and click Select to migrate a IBM® Lotus® Notes® certifier.
Choose the certifier key ring file and click Select to migrate an Internet certifier.

5. The certifier ID's path and filename now appear in the Migrate Certifier dialog box. Enter the password for the certifier ID or key ring file and click OK.

6. If you are migrating a Lotus Notes certifier, complete the procedure "To migrate a Notes certifier." Otherwise, see the procedure "To migrate an Internet certifier."

To migrate a Notes certifier

1. On the Basics tab, complete these fields:

Field Action

Select the server where the certifier will run Select the server on which the migrated certifier will be linked to the CA process. The ICL database for this certifier will also be created on this server. Make sure that the client location document points to this server.

Name of ICL database to be created (Optional) ICLs are created automatically when you create a certifier, and named by default. You can modify the default name (for example: "icl\icl_Acme.nsf" for the Acme certifier).
Note Although you can change the location of the ICL, it is recommended that you use the default directory and path.

2. For "Encrypt Certifier ID with," choose one:

Option Password required Action required

Encrypt ID with Server ID None None

Require password to activate Enter a new password for this certifier If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command:
tell ca activate <password>

Encrypt ID with Lock ID Registered user ID and password If you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command:
tell ca unlock <idfile><password>

Note

Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously.

3. (Optional) In the Administrators list, enter names of additional CAAs and RAs. The name of the administrator migrating the CA is automatically included in the list as both a CAA and an RA.

4. On the Certificates tab, complete these fields:

Field Action

Certificate duration for EE certificate Enter the default, minimum, and maximum duration, in months, for an end-entity (EE) certificate. An end-entity certificate is granted to servers or end users.

Certificate duration for CA certificate Enter the default, minimum, and maximum duration, in months, for an certificate authority (CA) certificate. A CA certificate is granted to certifiers.

5. Click OK. A message appears saying that you have successfully migrated the certifier.

6. Add the certifier to the CA process.

To migrate an Internet certifier

1. Migrate the key ring file.

2. Complete the Migrate Certifier dialog as described in the procedure "To create an Internet certifier" later in this chapter.

For more information on using CA server commands, see the topic Certificate Authority process tell commands.

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Select the server where the certifier will run	Select the server on which the migrated certifier will be linked to the CA process. The ICL database for this certifier will also be created on this server. Make sure that the client location document points to this server.
Name of ICL database to be created	(Optional) ICLs are created automatically when you create a certifier, and named by default. You can modify the default name (for example: "icl\icl_Acme.nsf" for the Acme certifier). Note Although you can change the location of the ICL, it is recommended that you use the default directory and path.

Option	Password required	Action required
Encrypt ID with Server ID	None	None
Require password to activate	Enter a new password for this certifier	If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command: `tell ca activate <password>`
Encrypt ID with Lock ID	Registered user ID and password	If you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command: `tell ca unlock <idfile><password>`

Field	Action
Certificate duration for EE certificate	Enter the default, minimum, and maximum duration, in months, for an end-entity (EE) certificate. An end-entity certificate is granted to servers or end users.
Certificate duration for CA certificate	Enter the default, minimum, and maximum duration, in months, for an certificate authority (CA) certificate. A CA certificate is granted to certifiers.