Lotus Domino Administrator 8 Help - Creating the Certificate Requests database

SECURITY

Creating the Certificate Requests database
Each Internet certifier you create requires a Certificate Requests database (CERTREQ.NSF) to manage the server keyring file and allow users to request client certificates from the browser or through email. This database stores active certificate and revocation requests that have been submitted to the Administration Process for processing. Using a browser-based interface, servers and clients request certificates and pick up issued certificates.

You can store Certificate Requests databases on any server in the domain, including servers that reside outside of a network firewall.

For more information on using the Certificate Requests database to process certificate requests, see the topic SSL and S/MIME for clients.

To create the Certificate Requests database

1. Choose File - Database - New and select the server to store the Certificate Requests database.

2. Enter the database title and file name -- for example: Certificate Requests and certreq.nsf.

3. Choose the Certificate Requests (R6) template (CERTREQ.NTF).

4. Click OK. When the Certificate Requests database has been created, it will open and the "About..." document will appear.

5. Close the "About..." document, and the Database Configuration form will appear.

6. In the Database Administration section, complete these fields:

Field Action

Supported CA Do the following:

In the Server field, enter the name of the server that hosts the Internet certifier.
In the Certifier field, enter the name of the Internet certifier to associate with the Certificate Request database.

Supported certificate types Choose one:

Client certificates only -- Select this option if the certifier will issue client Internet certificates. Do not select this option if you want to create a server key ring for SSL. If you select this option, you must customize client requests.
Server certificates only -- Select this if the certifier will issue server Internet certificates. If you select this option, you must customize server requests.
Both client and server certificates -- Select this if the certifier will issue both client and server Internet certificates. If you select this option, then you need to customize both server and client requests.

7. (Optional) In the Client Request Customization section, complete these fields:

Field Action

Validity period Enter the number of years that client requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.

Key usages Choose the default key usage that will be submitted in client certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for a client S/MIME certificate.

Extended key usages Choose the default extended key usage that will be submitted in client certificate requests generated from this database. Default settings are Client Authentication and Email Protection.

8. (Optional) In the Server Request Customization section, complete these fields:

Field Action

Validity period Enter the number of years that server requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.

Key usages Choose the default key usage that will be submitted in server certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for an SSL server certificate.

Extended key usages The default extended key usage that will be submitted in server certificate requests generated from this database. Default is Server Authentication.

9. For "Processing method," choose the method by which requests are submitted to the Administration Process:

Manual (default) -- Choose this if you want an administrator to review requests submitted to the Certificate Requests to approve or deny each request individually before it is submitted to the Administration Request database (admin4.nsf) for further processing.
Automatic -- Choose this to have requests submitted to the Administration Request database processed without administrator intervention. Requests will be approved or denied according to the certificate policy. If this method is chose, the "Automatic Transfer Server field appears, in which you need to specify the server running the administration process and to which certificate requests will automatically be transferred.

Note

If the Automatic method is chosen, the administrator (signer of the agent) must be listed in the group of users who can run unrestricted methods and operations on the server. This can be set on the Security tab in the Server document. There must also be a replica of the Certificate Requests database on the specified transfer server.

10. For "Mail notification," choose whether or not to send e-mail notification when a certificate request has been processed by the CA.

Yes (default) -- Choose this if you want the requester to be notified by e-mail when a certificate request has been processed by the CA.
No -- Choose this if you do not want the requester to be notified by e-mail when a certificate request has been processed by the CA.

11. Click Save & Close.

See also

To create an Internet certifier

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Supported CA	Do the following: In the Server field, enter the name of the server that hosts the Internet certifier. In the Certifier field, enter the name of the Internet certifier to associate with the Certificate Request database.
Supported certificate types	Choose one: Client certificates only -- Select this option if the certifier will issue client Internet certificates. Do not select this option if you want to create a server key ring for SSL. If you select this option, you must customize client requests. Server certificates only -- Select this if the certifier will issue server Internet certificates. If you select this option, you must customize server requests. Both client and server certificates -- Select this if the certifier will issue both client and server Internet certificates. If you select this option, then you need to customize both server and client requests.

Field	Action
Validity period	Enter the number of years that client requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.
Key usages	Choose the default key usage that will be submitted in client certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for a client S/MIME certificate.
Extended key usages	Choose the default extended key usage that will be submitted in client certificate requests generated from this database. Default settings are Client Authentication and Email Protection.