SECURITY


Migrating a certifier to the CA process
To migrate an existing certifier to the CA process, you set up an Issued Certificate List (ICL) database and configure its certificate duration. In addition, for Internet certifiers, you configure CRL and key usage information for the certificate.

1. From the IBM® Lotus® Domino™ Administrator, click Configuration.

2. On the Tools pane, choose Certification - Migrate Certifier.

3. In Migrate Certifier dialog box, click Select.

4. In the "Chose ID/key ring file" dialog box, select the cert.id of the certifier you want to migrate.

5. The certifier ID's path and filename now appear in the Migrate Certifier dialog box. Enter the password for the certifier ID or key ring file and click OK.

6. If you are migrating a Lotus Notes certifier, complete the procedure "To migrate a Notes certifier." Otherwise, see the procedure "To migrate an Internet certifier."

To migrate a Notes certifier

1. On the Basics tab, complete these fields:
FieldAction
Select the server where the certifier will runSelect the server on which the migrated certifier will be linked to the CA process. The ICL database for this certifier will also be created on this server. Make sure that the client location document points to this server.
Name of ICL database to be created(Optional) ICLs are created automatically when you create a certifier, and named by default. You can modify the default name (for example: "icl\icl_Acme.nsf" for the Acme certifier).

Note Although you can change the location of the ICL, it is recommended that you use the default directory and path.

2. For "Encrypt Certifier ID with," choose one:
OptionPassword requiredAction required
Encrypt ID with Server IDNoneNone
Require password to activateEnter a new password for this certifierIf you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command:

tell ca activate <password>

Encrypt ID with Lock IDRegistered user ID and passwordIf you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command:

tell ca unlock <idfile><password>


3. (Optional) In the Administrators list, enter names of additional CAAs and RAs. The name of the administrator migrating the CA is automatically included in the list as both a CAA and an RA.

4. On the Certificates tab, complete these fields:
FieldAction
Certificate duration for EE certificateEnter the default, minimum, and maximum duration, in months, for an end-entity (EE) certificate. An end-entity certificate is granted to servers or end users.
Certificate duration for CA certificateEnter the default, minimum, and maximum duration, in months, for an certificate authority (CA) certificate. A CA certificate is granted to certifiers.
5. Click OK. A message appears saying that you have successfully migrated the certifier.

6. Add the certifier to the CA process.

To migrate an Internet certifier

1. Migrate the key ring file.

2. Complete the Migrate Certifier dialog as described in the procedure "To create an Internet certifier" later in this chapter.

For more information on using CA server commands, see the topic Certificate Authority process tell commands.

See also