SECURITY


Creating a certifier for a server-based CA
You can create additional IBM® Lotus® Notes® and Internet certifiers for your organization and configure them to use the CA process.

To create a Notes certifier

Lotus Notes certifiers are created first, and then migrated to the CA process.

1. Register an additional organization certifier or organizational-unit certifier.

2. Migrate the certifier to the CA process.

To create an Internet certifier

Internet certifiers are created and registered using the CA process.

1. From the IBM® Lotus® Domino™ Administrator, click Configuration.

2. On the Tools pane, select Registration - Internet Certifier.

3. In the Register Internet Certifier dialog box, select "I want to register a new Internet certifier that uses the CA process."

4. In the Register a New Internet Certifier dialog box, click Basics.

5. Create the certifier name. Specify a common name and at least one additional component:

6. Choose the server on which the CA process is running. This is the same server on which the ICL database will be created.

7. (Optional) Modify the default ICL database name (for example: "icl\icl_Acme.nsf").


8. For "Encrypt Certifier ID with," select one:
OptionSecurity levelPassword requiredAction required
Encrypt ID with Server IDLowestNoneNone
Require password to activateMediumServer ID passwordIf you choose to use a password, you need to activate the certifier. Use the tell command:

tell ca activate <password>

Encrypt ID with Lock IDHighestRegistered user ID and passwordIf you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command:

tell ca unlock <idfile><password>


9. (Optional) In the Administrators list, enter the names of additional CAAs and RAs. The name of the administrator creating the CA is automatically included in the list as both a CA administrator and an RA administrator.

10. On the Certificates tab, complete these fields:
FieldAction
Include CRL distribution point extensionEnable an attribute that identifies the location of for the certifier CRL. It is recommended that you use this option so that you can revoke certificates after they are issued. This is enabled by default.
Backdate certificate validityThe certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. In the event that the date on which the certificate becomes valid is different than the date on which it is created, you can choose to backdate the certificate's validity period. This option is enabled by default. You cannot enter a date.
Certificate durationEnter the default, minimum, and maximum certificate duration in months.
Key usageChoose the key usage extensions for this certificate.
Note The only certificate type you can create is an end -entity certificate, and the option is enabled by default. This means that Internet certificates issued by this certifier apply to users of certificates and/or end-user systems that are subjects of a certificate.

11. Click Miscellaneous, and then click "Create a local copy of the certifier ID." Specify the certifier ID file name and password, and click OK. A copy of the certifier ID is saved to the default path ...\notes\data\ids\certs\cert.id. You can select a different path. Use this local copy of the certifier ID as a backup to re-create the certifier if it become corrupted.

12. Complete these fields to specify Certificate Revocation List information for this certifier:
FieldAction
Duration of CRL (in days)Enter the length of time, in days, for which a given CRL is valid. It is recommended that this time period extend beyond the time period between issued CRLs, as this ensures that the CRL is always valid.
Time between CRLs (in days)Enter the time interval, in days, between issued CRLs.
13. Complete these fields to specify "Key and certifier certificate" information for this certifier:
FieldAction
Signing algorithmSelect the algorithm used to encrypt the certificate's signature.
Key lengthEnter the key length to use for encryption. This setting determines the number of bits needed to be able to represent any of the possible values of a cryptographic key. The longer the key length, the more difficult it is to decrypt encrypted text.
Certificate will expire on(Optional) Change the default certificate expiration date.
14. Complete these fields to specify the Certifier PKIX Alternative Name(s) information for this certifier:


15. Click OK. A message appears saying that you have successfully set up a CA.

16. Complete these procedures:

For more information on certificate authority administrators and registration authorities, see the topic Administering a Domino CA.

See also