Load CA firstly
1) Open Domino Administrators
2)Click Configuration->Tools->Certification->Migrate Certifier
Select certifier ID. Click OK
Basics Tab
Select the server on which this
(Select the server on which the migrated certifier will be linked to the CA process. The ICL database for this certifier will also be created on this server. Make sure that the cilent location document points to this server)
Nme of ICL database to be
( It means where the ICL
database will be stored)
Encrypt Certifier
Locking ID
(If you choose to encrypt the certifier ID with a lock ID. The ceritfier is locked until you unlock it. use "tell ca unlock
Server ID
(If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use "tell ca activate *)
On the Certificates tab. Default settings ar Ok.
Click OK.
Create an internet certifier
1) Open Domino Administrators
2)Click Configuration->Tools->Registration->Inernet Certifier
Select "I want to rigister a new internet ceritifer that use ..."
Select the Create the certifier name
Fill the proper information.
Common name
Organization unit
Oraganization
City or Loction
State or province
Country
Select the server on which the CA process is running
Select server ID
Click Add ..
Add the administrator rights to selection ID.
Certificates Tab
Inculde CRL distribution point extension
(Enable an attribute that identifies the location of for the certifier CRL. It is recommended that you user this option so that you can revoke certificates after they are issued. This enable by defualt)
Backdate Certificate Validity
(The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. In the event that the date on which the certificate becomes valid is different than the date on which it is created, you can choose to backdate the certificate's validity period. This option is enabled by default. You cannot enter a date)
Certificate duration
(Enter the default, minimum,and maximum certifircate duration in moths)
Key usage
(Choose the key usage extension for this certificate)
Mis (Miscellaneous)
Create a local copy of the certifier ID"
Specify the certifier ID file name and password.
Click OK. A copy of the certifier ID is saved to the default path
(..\notes\data\ides\cert\cert.id default path)
Certificate Revocation List information
Duration of CRL (in days)
(Enter the lenth og time, in days , for which a given CRL is valid. It is recommended that this time period extend beyond the time period between issued CRLs, as this ensures that the CRL is always avlid.
Time between CRLs (in days)
(Enter the time interval, in days, between issued CRLs.
Key and certificate
Signing algorithm
(Select the algorithm used to encrypt the certificate's signature)
Key length
(Enter the key length to use for encryption. This setting determins the number of bits needed to be able to represent any of the possible values of a cryptographic key. The longer the key length, the more difficult it is to decrypt encrypted text.)
Certifier PKIX Alternative Name(s)
Default is Ok
Click OK
A new CA is created.
Create Certificate requests database
File->Application->New (Ctrl+N)
Select server->enter the file name (I use certreq.nsf)
Choose Certicate Request (8) template (CertREQ.NSF)
Click OK the file certreq.nsf is created now.
Close About button the certreq.nsf is opened now.
Fill the proper information
The default option is Ok
For more information you can use help file.
Supported CA
(Do the following:
1. The server filed, enter the name of the server that hosts the internet certifier
2. In the Certifier field, enter the name of the internet certifier to associate with Certificate Request database)
Supported certificate types
(Choose one
*Client certificates only--select this option if the certifier will issue client Internet certificates. Do not select this option if you want to create a server key ring for SSL. If you select this option, you must customize client requests.
*Server certificates only--Select this if the certifier will issue server inernet ceritficates. If you select this option, you must customize server requests.
*Both client and server certificates-- select this if the certifier will issue both client and server internet certificates. If you select this option, then you need to customize both server an client requests.)
In the Client Request Customization section
(Validity period
Enter the number of years that client requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.
Key usages
Choose the default key usage that will be submittes in client certificate requests generated from this database. Default settings are key Encipherment and Digital signature, which are sufficient for a client S/MIME certificate
Extended key usages
Choose the default extended key useag that will be submintted in client certificate requests generated from this database. Default settings are Client Authentication and Email protection.)
In the server request Customization section
(Validity period
Key usages
Choose the default key usage that will be submitted in server certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature. Which are sufficient
for an SSL server certification.)
Extended key usages
(The default extended key usage that will submitted in server certificate requests generated from this database. Default is Server Authentication)
Process Method
(*Manual (Default) --choose this if you want an administrator to review requests submitted to Certificate request to approve or deny each request individually before it is submitted to the Administrator request database (admin4.nsf) for futher processing.
*Automatic--Choose this to have requests submitted to the Administrator request database processed without administrator intervieention. Requests will be approved or denied according to the certificate policy. If this method is chose, the "Automatic Transfer Server field appears, in which you need to specify the server server running the administration process and to which certificate requests will automatically be transferred)
Mail notification
Yes (Default) -- Choose this if you want the requester to be notified by e-mail when a certificate request has been prcessed by the CA.
No--Choose this if you do not want the requester to be notified by e-mail when a certificate request has been prcessed by the CA.
Setting up SSL on a server -base CA server
1.Create an internt certifier
2.Create the certifier requests application
3.Create a server key ring file
open certreq.nsf->Domino Key Ring Management->Create Key Ring
Fill proper information on the tab.
Click "Creat..."
Verify the information in the "Mergr Trusted Root Certificate Confirmation dialog box and click Ok
When the Certificate received into key ring and designated as trusted root" confirm the information and Click Ok
When the "Certificate Request Successfully submitted for Key ring" Click OK.
Transfer the certificate request to the Administration Request database"
Open the Pending/submitted request. If the request doesn't appear, press F9 to refresh the view.
Click "submit select requests"
Display a dialog box "Submit 1 request(s) to Administration process"
Open Administration Requests database (admin4.nsf)->Certification Authority Requests/Certificate requests view and find the new request.->request and verify the information in it->Edit->Approve request->F9 until the resquest change to "issued"
Open certreq.nsf->pending.submitted ceritficaters->Pull-selected Request(s)->Cross ...
Open mail of administrators->copy "Use your certificate pickup ID:"
->Domain Key ring Management->Pickup Key Ring Certificate
Input the file name and pssword of key. Past the pickup id.
->Pickup certificate
Copy keyfile.kyr & keyfile.sth to Domino server's data directory
Notes: Please use the notes install id to download/copy file in *unix environment.
Configure SSL port
Open Domino Administrator->Ports->Internet ports->enter name of the new key ring file->Enable "SSL port Status"->save
restart http services.
To modify a certifier through the ICL
Open Domino Administrator->Tool-Certitication->Modify Certifier
1) Select the server that hosts the CA you want to modify.
2)Select the certifier to recover by
*select the certifier doucment from the Domino Directory.
*Select the certifer ICL database
Note: if the certifier is protected with a lock ID, you must unlock it in order to modify it.
3) Modifier the certifier as needed on Certificates Tab.
Click OK
refresh ca.
Revoke a certificate
1)Open Domino Administrator ->file->ICL directory->select the certifier that iussed the certifier you need to revok.
2)Open the Iussed Certificates\By subject
3)Open the Certifier which you need to revoke.->click "Revok Certificate"
4) Select revoke reason.
7)The next time the CA refreshes, the certificate document will be updated.
Back a certifer
Copy the ICL databas to a safe place.
Recover a certifier
Configureation->tools->Certifier->Modifiy certifier->select the server that hosts CA->Selcet the certifier to recover by doing one of the following.
*Select the certifer ICL database
Disable a certifier
Domino Administrator->Certification->Select certifier->open certifier->edit certifier->CA Cofiguration->Process enable: no->save
没有评论:
发表评论