From a domino CA using a Web browser
1)Make sure you already created the server key ring file and mapped a driver to the directory that contains the server key ring file.
2)Open server certificate Admin application ->"Create Certificate Request"
Fill the proper information
Key ring file name
(The name of the server key ring file. including the path to the file)
Log Certificate Request
(*Yes (Default) to log information in the server certificate Admin application
*No to not log information)
Method
(Choose paste into form on CA's site)
Click "Create Certificate request"->Enter the password for the server key ring file.
->copy certificate request to a txt file->Click Ok
By IE
open http://server/certreq.nsf->"Request Server Certification"->Enter your name e-mail address, phone number and comments for CA.->past the certificate request into the dialog box->Click "Submit Certificate Request"->Merge the CA certificate as a root.
By Domino admin
Open ->certsrv.nsf-> Install Trusted root Certificate into Key Ring"
Enter the name of key ring file.
Enter the name that the key ring file will use to identify this certificate. If you leave this field blank, Domino uses the distinguished name of the certificate.
Choose Clipboard->Past the Clipboard
Enter the password of key ring file.
merge a server certificate into the key ring file.
open certreq.nsf (By IE)->->pick up server certificate->past pick up id
Click "Pick Up signed Certificate"
Open certsrv->install Certificate into Key Ring->Enter the file name and password->choose Clipboard->past the request to the field->Mergr Certificate into Key ring.
->Enter password->OK
SSL port configure
Open Domino Administrator->configuration->servers->server document->Ports->Internet ports
Complete these fields:
SSL key file
(The name of the server key ring file that the server use)
SSL protocol version
(*V2.0 only to allow only SSL 2.0 connections
*V3.0 handshake to attempt an SSL 3.0 connection. If this fails and the requester detects SSL 2.0, then attempts to connect using SSL 2.0.
*V3.0 only to allow only SSL 2.0 connections.
*V3.0 and V2.0 handshake to attempt an SSL 3.0 connection, but start with an SSL 2.0 handshake, which displays relevant error messages. Make an SSL 3.0 connection. if possible.
*Negotiated (default) to attempts an SSL 3.0 connection. If it fails, the server attempts to use SSL 2.0. Use this setting unless you are having connection problems caused by incompatible protocol versions.)
Accept SSL site certificates
(*Yes to allow this server to accept the site certificate and use SSL to access an Internet server, even if the Domino server does not have a certificate in common with the internet server.
*No to not allow this server to accept site certificates.)
Accept expired SSL certificates
(*Yes to allow clients to access the server , even if the client certificate is expired.
*No to not allow clients to access the server with expired client certificates)
SSL port number
(Enter the port number on which Domino listens for SSL requests. You configure this here regardless of weather you are using internet Sites or the web configuration view.)
SSL port status
(Choose Enable to allow SSL connections on the port. You configure this here regardless of weather you are using Internet Sites ir the Web configurations view
Notes: Since a Domino server can be either an SMTP serve or an SMtP client, you have two choices for the SSL port ststus field. To set up an domino serve as an SSL-enabled SMTP server, choose Enable in the SMTP inbound field)
Client cetificate
(*No to not use client authentication
*Yes to use client authentication
Note: SMTP and IIOP do not support client authentication)
Name & password
(*No to not use name-and-password authenticaition
*Yes to use name-and-password authenticaition)
Anonymous
(*Yes to allow anonymous access. You must choose Yes if you want users to connect using server authentication only.
*No to prevent anonymous access
If you choose Yes for both anonymous and client certificate, Domino first tries to authenticate the client. If that fails, Domino tries to connect the user anonymously.
If you choose Yes for Anonymous, Client certificate, andName & password, Domino first tries to authentication the client using the client cetificate. If that fails, Domino tries to use name-password authentication. If that fails, Domino tires to connect the user anonymously.
LDAP must be configured to allow SSL connections in order to do name hookups.
IMAP,POP3 and SMTP do not support anonymous access.)
Redirect to SSL
Select "Redirect to SSL" in the TCP/IP port status.
Individual database
Select database (For which you want to force clients to use SSL.)->open Database Properties->
select Web Access Require SSL connection.
Managing Server certificates and cetificate requests
View SSL server certificates
Open certsrv.nsf->"View & Edit Key Rings"->"Select Key Ring to display"
Enter key ring file name (My file is keyfile.kyr) and password
Do one of these
*To view the server certificate, Select a document in the Site Certificates category.
*To view a trusted root certificate, select a document in the Certification Authorities category.
Click change password , enter the current password & new password. Click OK
Make or umake a CA certificate as a trust root
Open certsrv.nsf->"View & Edit Key Rings"->"Select Key Ring to display"
Enter key ring file name (My file is keyfile.kyr) and password
Open the certificate which you want to change. select "Trust this certification" make a trust root.
"Do Not Trust This Certificate" to unmake a certificate as a trust root.
View requests for certificates.
Open certsrv.nsf->View Certificate Request Log->open request document.
Renew expired certificates
没有评论:
发表评论