Lsdomino6ca PDF

Creating and using the certificate authority in Lotus Domino 6
Establish a certificate authority in minutes

Skill Level: Intermediate Pawel Leszek (pawel.leszek@ipgate.pl) Independent Software Consultant and Author
06 Feb 2003 This tutorial explains how to implement the Public Key Infrastructure (PKI) security technology built into Domino 6. Fully compliant with X.509/Public Key Infrastructure (PKIX), the new technology enables developers to establish certificate authority (CA) in just minutes. The tutorial explains how to generate and manage X.509 certificates for both Notes and Internet clients.
Section 1. Introduction
Should I take this tutorial?
This tutorial is for advanced Domino administrators who want to use the new Public Key Infrastructure (PKI) features included in Domino R6. It covers essential setup and configuration for using digital certificates with Domino 6. You should be familiar with the following technologies: PKI technology, terms, and procedures X.509 certificates and PKIX standards Domino administration
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 1 of 27
developerWorks
ibm.com/developerWorks
See Resources for referrals to more information on these topics.
What does this tutorial cover?

This tutorial presents the advantages of the new server-based Certificate Authority (CA) implemented in Domino 6, which is based on the new Domino 6 server ca task that manages all certificate issues. Previous Domino releases offered only a standalone Domino CA application that was limited to X.509 certificates. Server-based CA offers many new features not available in the Domino CA application, which are detailed in Advantages of Domino server-based CA. This tutorial demonstrates how to use Domino 6 as a base for building your own corporate PKI infrastructure. It discusses CA design issues and gives instructions for configuring and using Domino PKI. It shows how to use a new Domino 6 CA process for all X.509 certification-related tasks, with detailed instructions on how to create certifiers for both Notes and Internet clients. The tutorial begins by explaining the differences between the old-style CA application and the new CA process. It goes on to explain in step-by-step fashion how to follow standard CA procedures in Domino 6. Here is a section-by-section breakdown of the tutorial: Creating Internet and Notes certifiers Using the Domino Directory to automate the distribution of Internet certificates to Notes users Issuing certificates for Internet clients with a Web browser Reviewing certificate requests Revoking certificates that are no longer valid and keeping track of revoked certificates information with a CRL Certificate Revocation List (CRL)
Tools
You need to have these applications installed to follow along with the examples in this tutorial: Lotus Domino Server 6, Lotus Notes 6 and Domino Administrator 6. Download a free trial version. Any Web browser with X.509 certificates support, for instance Mozilla 1.x, Netscape 4.x and above, or Microsoft Internet Explorer 4.x and above.
developerWorks
Make sure that your Domino environment is configured this way: The administrator's current location document should at least point to the home server and directory server in the same domain as the CA server. The mail file location on the Mail tab of the administrator's location document must point to the server on which the CA process is running. CA administrators must have at least Editor access to the master Domino Directory for the domain. Administrators must check if the Fully qualified Internet host name field on the Basic tab in "Current Server Document" contains a Fully Qualified Domain Name (FQDN) and modify it only if the default value is wrong. This is because X.509 certificates identify users and hosts using FQDN (ibm.com and lab1.lotus.net are examples of FQDN).
Section 2. Server-based CA in Domino 6

Domino server-based CA vs. the Domino CA application
There are two ways to configure Domino 6 for CA. First, you can use the Certificate Authority application that comes with Domino R5 -- the database template cca50.ntf. This is an ordinary database that contains a simple application for requesting and generating certificates. With Domino R6 you can also use the server-based CA -- a Domino server process that maintains all procedures for requesting, issuing, distributing, and revoking X.509 certificates. In the next panel, we'll look at the advantages of using the Domino server-based Certificate Authority.
Advantages of Domino server-based CA

There are many benefits for using server-based CA: It provides a unified mechanism for issuing Notes and Internet certificates. It supports the registration authority (RA) role, which you use to delegate the certificate approval/denial process to lower-echelon administrators in the organization.
developerWorks
It does not require access to the certifier ID and ID password. After you enable certifiers for the CA process, you can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password. It simplifies the Internet certificate request process through a Web-based certificate request database. It issues certificate revocation lists, which contain information about revoked or expired Internet certificates. It is compliant with security industry standards for Internet certificates X.509 and PKIX. In later sections you will see how to set up the new, server-based CA feature of Domino 6 PKI. Domino CA applications based on the earlier versions still work, but they lack CRL and certificate-revocation support.
Section 3. Setting up certifiers for CA process

Starting the CA process on the server
The heart of the Domino 6 CA infrastructure is a special server task named ca, which manages all CA issues. It maintains assigned Internet and Notes certifiers, and issues certificates in cooperation with Certificate Request and Administration Request databases. It also creates and maintains the Issued Certificate Lists (ICL) that contains information about certificates issued by the certifier along with CRL. This is why starting ca task is usually a good idea for the first step in setting server-based Domino CA. You will perform most of the CA administration tasks by issuing server console commands. From the server console you can dynamically load the ca task or remove it from the server tasks list with these commands:
load ca tell ca quit
If you want the ca task to start automatically with the Domino server, add ca to the
developerWorks
"ServerTasks=" section of the server's notes.ini file. You can choose which certifier to enable under the CA process. Of course you can enable both Internet and Domino certifiers for the CA process or use the more old-fashioned certifier ID file for Notes clients and the CA process for Internet certifiers. Because the Domino Process Manager controls the ca task, you can speed up processing CA requests by entering the following at the server console:
tell adminp process all tell ca refresh tell ca stat
The last command shows whether the changes have been processed. You can find more help by entering load ca -? on the server console.
Creating certifiers for CA process

Once the CA process is running you can begin the real CA configuration. Setting up Domino server-based CA involves the following tasks: Creating/migrating Internet certifiers for the CA process Adding certifiers to the CA process on the server Setting up a Certificate Requests database for each Internet certifier Each certifier also goes into a separate Issued Certificate List (ICL) database, inserted by the ca process along with configuration parameters. ICL databases are named by default and stored in \icl under a server's root directory. (You can modify the default name.)
Creating Internet certifiers

To create one or more Internet certifiers to issue server and client Internet certificates: 1. 2. 3. From the Domino Administrator, click Configuration. On the Tools pane, select Registration=>Internet Certifier. In the Register Internet Certifier dialog box, select "I want to register a new Internet certifier that uses the CA process." That selects the Basics tab, shown in the figure below.
developerWorks
4.
Once on the Basics tab, click Create the certifier name and specify the following parameters: Common name (required): the certifier name (Common Name, in the example, is LAB) Organizational unit (optional): the name of the certifier's organizational unit Organization (optional): the name of the certifier's organization City or locality (optional): the organization's city State or province (optional): the full name of the state or province in which the organization resides Country (optional): the two-character abbreviation for the country in which the organization resides
5. 6.
Choose the server where you want to store the certifier. Click OK to accept all of your settings.
You can modify the default ICL database name (for example, icl\icl_lab.nsf) before you accept the certifier parameters, but that's not recommended.
developerWorks
Migrating Notes certifiers to the CA process

With Domino 6 you can easily create new certifiers but most Domino developers will start by migrating any existing Domino R5 certifier IDs to the Domino 6 CA process. Here's how to accomplish the migration: 1. 2. 3. From the Domino Administrator, click Configuration. In the Tools pane, choose Certification=>Migrate Certifier. In the Migrate Certifier dialog box, click Select and then in the Choose ID/key ring file dialog box, select the cert.id of the certifier you want to migrate. The certifier ID's path and filename appear in the dialog box. Enter the password for the selected certifier ID or key ring file and click OK. In the Administrators list, enter names of additional Certificate Authority Administrators (CAAs) and Registration Authorities (RAs).
4. 5.
developerWorks
6. 7.
Fill in the other optional fields on the Certificates tab if necessary for your environment. Add a certifier to the CA process by entering these commands on the server console:
tell adminp process all tell ca refresh
8.
Check to see whether if the new certifier has been added by entering this console command:
tell ca stat
Migrating Internet certifiers

If you want to migrate Internet certifiers generated by Domino CA application to the
developerWorks
server-based CA process (this also applies to any standard CA keyrings exported from any CA), follow these steps: 1. 2. 3. 4. From the Domino Administrator, click Configuration. On the Tools pane, select Registration=>Internet Certifier. In the Register Internet Certifier dialog box, select "I have a key ring file I want to register." Complete the Migrate Certifier as described in steps 3 through 8 in the procedure from Migrating Notes certifiers to the CA process.
Making a backup copy of a new Internet certifier

It's always a good idea to keep a backup copy of the certifiers. You should do this during certifier's registration. Select Misc tab and click Create a local copy of the certifier ID. Specify the certifier ID file name and password, and click OK. Specify the certifier ID filename and password and click OK. A copy of the certifier ID is saved to the default path ...\notes\data\ids\certs\cert.id. This copy will be useful for backup purposes.
developerWorks
Securing Internet certifiers

One very important issue is how to secure a newly created certifier. The Basics tab, shown in the previous panel, shows the three security options for certifiers: Encrypt certifier with Locking ID provides high security but it's relatively inconvenient. This kind of encryption requires the appropriate user's ID and password. Encrypt certifier with Server ID provides the lowest security and is the most convenient. Require password to activate provides medium security, although it's relatively inconvenient. If you choose to encrypt the certifier with the server ID and password, you need to activate the certifier with the command from the server console:
tell ca activate password
developerWorks
If you encrypt the certifier ID with a locking or selected ID, the certifier is locked when you create it; unlock it with this console command:
tell ca unlock ID file password
Section 4. Additional parameters for Internet certifiers

Setting duration and other parameters for Internet certifiers
There are a few additional critical parameters to set for Internet certifiers, including certificate duration (the default is 2 years, the maximum is 30 years!), key usage, and certificate purposes. These options are especially useful for IPSec-based VPNs with X.509 authentication. The settings will depend upon your local situation. Here's the basic method for setting them: 1. In the Creating Certifier dialog box, select the Certificates tab.
developerWorks
2. 3. 4. 5.
Set certificate duration. Define the key usage as appropriate. Set the certificate purposes, as necessary. Use of the option for including additional certificate fields about CRL distribution point, if necessary. Click OK to accept your Certificates settings.
Setting revocation-list parameters for Internet certifiers

All Internet certifiers automatically come with a Certificate Revocation List (CRL), which is stored in the Domino Directory in the certifier's document and also in the certifier's ICL database. When you create the certifier, you can make some decisions about how the list will work to ensure that outdated certificates do not allow any users to access protected network resources. Here's how to specify the settings: 1. 2. 3. From the Creating Certifier dialog box, select the Misc tab. Review the CRL information for the newly generated certificate. Adjust any settings as your situation requires: CRL duration -- the default is two days Time between CRL release -- the default is one day Signing algorithm -- the default is RSA MD5 with key length 2048, which is the maximum value here. 4. Click OK to accept your miscellaneous settings.
Section 5. Managing certifiers

Adding Internet certifiers to the CA process -- and deactivating them
developerWorks
After you've created an Internet certifier document, you need to add the certifier to the CA process with these server-console commands:
tell adminp process all tell ca refresh
Then check to see if the new certifier has been added:

tell ca stat
A certifier number is assigned by the CA process during certifier registration. When you issue the tell ca stat command for a new certifier, you can see the number assigned to the certifier. If the certifier is password protected, you use this command for activating the password:
tell ca activate certifier_number password
Use this command to deactivate a certifier:

tell ca deactivate certifier number
Disabling an Internet certifier

The easiest way to disable a certifier document is to remove the CA process from the server-based CA, which requires Editor access to the Domino Directory. Full-access administrators and administrators have Domino Directory access by default. Be sure that all CA administrators also have the necessary access for disabling certifiers. Here's how to disable an Internet certifier in that way: 1. 2. From the Domino Administrator, click Configuration and open the Certificates view in the Server pane. Select the certifier document you want to disable and double-click to open
developerWorks
it. 3. 4. 5. Click Edit Certifier. On the CA Configuration tab, shown in the figure, select No for Process Enabled to disable the CA process for the certifier. Click Save & Close.
Section 6. Issuing Internet certificates for Notes clients

Storing Internet certificates in a Notes Person document
It is increasingly advantageous for Notes users to use Internet certificates because they are necessary for encrypting Internet mail (with the S/MIME protocol) and
developerWorks
secure Web communication (using SSL from Notes browser), two methods of communication that are becoming more and more popular in the Internet. A Notes user ID file can store both Notes and Internet certificates. Notes certificates are always present, but Internet certificates must be issued by Domino administrators for each user. Fortunately it is possible to automate the issuance of Internet certificates using the existing public and private keys in the Notes ID file and then adding it to the user's Person document in the Address book. Using the Domino Directory to issue Internet certificates automates the distribution of Internet certificates to Notes users. Start by making sure that all Notes users have valid Internet addresses specified in their Person documents. In addition, you must add an Internet certificate created with CA process to selected users in Domino Address book. 1. 2. 3. 4. 5. 6. 7. From the Domino Administrator, click People & Groups. Select the names of the users who need Internet certificates. Choose Actions=>Add Internet Cert to Selected People. Select the correct registration server, which appears at the top of the dialog box next to the Server button. Choose option to use CA process. Choose the Supply the certifier key ring file and password option if you want to use the flat CA's key ring file. In the Add Internet Certificates to Selected Entries dialog box, confirm that the expiration date is valid. Change the date, if necessary.
developerWorks
The effects of issuing Internet certificates in a Person document

A certificate request is created in the Administration Request database for each selected user. When the CA processes the request, it creates the "Add Internet Certificate to Person Record" request. When the Administration Request database replicates with the Domino Directory's administration server, the Administration Process places the certificate in the user's Person document. After the Domino Directory replicates with the user's mail or opens any database on the server, Notes recognizes that there is a certificate in the Domino Directory that is not in the user's ID file. Notes automatically places the Internet certificate in the user's ID file.
developerWorks
Section 7. Issuing Internet certificates for Internet clients

Creating the Certificate Requests database
The new Domino's 6 PKI offers an easy and elegant way to issue Internet certificates for Internet clients, meaning those who use Web browsers. This makes it easy to build unified corporate PKI environment based on Domino R6. Each Internet certifier you create requires a Certificate Requests database (certific.ntf) to manage certificate requests. This database stores certificates and revocation requests that have been submitted to the Administration Process. You can store Certificate Requests databases on any server in the domain, including servers that reside outside of a network firewall so it can serve as Internet application. Using a Web browser interface, clients can then request certificates and pick up issued certificates. With a Certificate Request database you can handle requests for both client and server certificates. Here's how to create a Certificate Request database:
developerWorks
1. 2. 3. 4. 5.
Choose File=>Database=>New and select the server where you want to store the Certificate Requests database. Enter the database title and file name (certreq.nsf in the example). Choose the Certificate Requests (R6) template (certreq.ntf). The Certificate Requests database opens when it has been created. Review the configuration document for that the new Certificate Requests database. Check the following fields: Server name with CA process running Certifier Supported certificate types (server, client, or both)
6.
Review the other fields; most of them are optional, but you may need to fill some in for your local situation.
developerWorks
Managing the Certificate Requests database

You can decide how the Administration Process handles certificate requests. The most obvious method is manual processing: RAs personally review requests submitted to the Certificate Requests and approve or deny each request individually. You can instead use automatic request processing. With automatic request processing turned on, Administration Process runs special agents every five minutes to transfer requests between Certificate Request database and the administration database -- without the RA's intervention. Requests are approved or denied according to the certificate policy. The last important option to consider for managing your Certificate Request database is Mail notification. That option lets you decide whether to send e-mail notification when a certificate request has been processed by the CA.
Submitting certificate requests from a Web browser

The first step to getting a certificate is to submit a certificate request. To test your Certificate Request database, make a request or several yourself from a Web browser or Notes Web client. Enter the URL for the Certificate Request database: http://somewhere.com/certific.nsf.
developerWorks
Processing the certificate requests

Domino CAs and RAs can view information about server and client certificate requests waiting for approval, as shown in the figure below. If you have set up manual requests processing, the reviewer opens the Certificate Request database manually and clicks Pending/Submitted Requests and then uses the Submit Selected Requests button to transfer requests into the Administration Requests database (admin4.nsf). Even with automatic processing on, CA or RA must explicitly approve certificate requests in the Administration Requests database. Once this is done, automatic processing moves the approved request back to the Certificate Request database every five minutes.
developerWorks
Retrieving requests results

There is a second button in the Pending/Submitted Requests view from the previous panel -- Pull Selected Requests -- that retrieves requests that have been addressed by the RAs. With automatic processing turned on, this happens automatically every five minutes. Reviewers can also view certificate requests in the Administration Requests database (admin4.nsf) by selecting Certification Authority Requests=>Certificate Requests. Internet clients that request certificates receive e-mail that includes a pick-up number that can be used for retrieving the assigned certificate. Clients can use their Web browsers and point to the Certificate Requests database (http://www.somewhere/certific.nsf), after entering the pick-up number, the user can install the certificate in a Web browser, as shown below:
developerWorks
Section 8. Revoking certificates and using the certificate

What is CRL?
Domino 6 introduces support for Certificate Revocation List (CRL), a time-stamped list containing the serial numbers of public-key certificates that have been revoked. CRLs are placed in directories where applications can check the status of certificates before trusting them. CRL and certificate-revoking support are essential for making use of X.509 certificates. In Domino 6 each Internet certifier has its own CRL stored in the certifier's ICL database. A CRL is associated with a certifier, and it is signed by that certifier. The same CRL is also stored in Domino Directory where it is used to assert certificate validity by entities that require certificate authentication. The CA process issues and maintains CRLs for each Internet certifier.
developerWorks
Remember, after a certificate is revoked, it can never again be trusted.
Generating CRL
You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis, and they operate unattended. Using CRLs, you can manage the certificates issued in your organization. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked and is therefore no longer trusted by the certifier.
Regular and non-regular CRLs

Domino 6 can use two kinds of CRLs: regular and non-regular. With regular CRLs, you configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This procedure means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. Of course, when you choose your settings, you should specify that the CRL duration period is greater than the time period between each CRL issuance. You can issue non-regular CRL in the event of a critical security break, for example, if the certificate administrator leaves the company or if a certificate is compromised. This type of revocation does not affect either the timing or the content of the next scheduled CRL. You use a tell command to issue a non-regular CRL:
tell ca CRL issue certifier_number
Issue a non-regular CRL for a specific certifier, where certifier_number is the number of the certifier specified in the results of the tell ca status command.
Revoking certificates
Sometimes it is necessary to revoke certificates when they can no longer be trusted, for example, when they have been compromised or stolen. When such a situation happens, the certificate administrator should issue a non-regular CRL. To revoke a certificate:
developerWorks
1. 2. 3. 4. 5. 6.
From the Domino Administrator, select the Files tab. Open the ICL database (from the /icl directory) for the certifier that issued the certificate you need to revoke. Select the Issued Certificates\By Subject Name view and double-click the Issued Certificate document for the certificate you want to revoke. Click Revoke Certificate. Choose the reason for revoking the certificate in the Revocation Reason. Issue a non-regular CRL by issuing the following command on the console:
tell ca CRL issue certifier_number
The next time the CA process refreshes, the Issued Certificate document updates to indicate that the certificate has been revoked. When you next open the Issued Certificate document, the Revocation Information section should indicate that the certificate has been revoked. You will find here also the revocation date and time, the reason for the certificate's revocation, and date and time the certificate became invalid.
developerWorks
Section 9. Summary
Summary
This tutorial explained a new X.509 implementation in Domino 6 from a practical point of view, teaching you how to implement and maintain basic procedures for issuing and managing X.509 certificates in Domino 6 for both Notes and Internet clients. This tutorial covered: How the Certificate Authority process of Domino 6 differs from the Certificate Authority application in Domino R5 The new PKI functionality in Domino 6 How to set up server-based Certificate Authority with Domino 6 Details for configuring certifiers and issuing certificates with Domino CA How to revoke certificates and manage CRL Issuing Internet certificates for Internet clients (Web browsers) and Notes client Storing Internet certificates in a Person document in the Domino Directory
developerWorks
Resources
Learn For excellent coverage of Open Source PKI implementations, see the Open Source PKI Book, a comprehensive Public Key Infrastructures and the PKIX standards review. Read this detailed Overview of Certification Systems: X.509, CA, PGP and SKIP. The X.509 Style Guide provides a detailed coverage of X.509 encoding issues. The RFC Editor Web site provides information on Request for Comments (RFC) documents about X.509/PKIX. The documents include: PKIX Certificate Management Protocols: RFC 2510; Operational protocols: RFC 2559, RFC 2585, RFC 2560; Certificate Policy and Certification Practices Framework: RFC 2527; and Profiles of X.509 v3 Public Key Certificates and X.509 v2 Certificate Revocation Lists (CRLs): RFC 2459. The Lotus Developer Domain article, "Be the authority on the Domino 6 Certificate Authority", is a good introductory review for Domino 6 CA. IBM's Redbook, Lotus Notes and Domino R5.0 Security Infrastructure Revealed is a good starting point for learning about X.509 in Domino. For an in-depth view on S/MIME, see the Lotus Developer Domain article, "Enhancing e-mail security with S/MIME". For an old but still informative article on CA in Domino 4.6, see "Trust yourself: Become your own Certification Authority". Web Security & Commerce by Simson Garfinkel and Gene Spafford (O'Reilly & Associates, 1997) is the bible for securing network services and infrastructure. Digital Certificates by Jalal Feghhi, Jalil Feghhi, and Peter Williams (Addison-Wesley, 1999) is the bible on PKI and certificates. Stay current with developerWorks technical events and Webcasts. Get products and technologies Jonah PKIX Freeware Distribution - Open Source PKIX Public Key Infrastructure toolkit. Build your next development project with IBM trial software, available for download directly from developerWorks. Discuss Participate in the discussion forum for this content.
developerWorks
About the author

Pawel Leszek Pawel Leszek, a Studio B (www.studiob.com) author, is an independent software consultant and author specializing in Linux/Win/Mac OS system architecture and administration. He also has experience with Mac OS X kernel-level programming, implementation, and administration. Pawel is also the author of series of articles for LinuxWorld (www.linuxworld.com) and Linux columnist in the Polish edition of PC World. Pawel lives in Warsaw with his wife and sweet little daughter. Questions, comments, and errata submissions are welcome; e-mail the author directly at pawel.leszek@ipgate.pl.

Lsdomino6ca PDF

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lsdomino6ca PDF

Uploaded by

Copyright:

Available Formats

Creating and using the certificate authority in Lotus Domino 6

Establish a certificate authority in minutes

See Resources for referrals to more information on these topics.

What does this tutorial cover?

Section 2. Server-based CA in Domino 6

Advantages of Domino server-based CA

Section 3. Setting up certifiers for CA process

Creating certifiers for CA process

Creating Internet certifiers

Migrating Notes certifiers to the CA process

tell adminp process all tell ca refresh

Migrating Internet certifiers

Making a backup copy of a new Internet certifier

Securing Internet certifiers

Section 4. Additional parameters for Internet certifiers

Setting revocation-list parameters for Internet certifiers

Section 5. Managing certifiers

Then check to see if the new certifier has been added:

Use this command to deactivate a certifier:

Disabling an Internet certifier

Section 6. Issuing Internet certificates for Notes clients

The effects of issuing Internet certificates in a Person document

Section 7. Issuing Internet certificates for Internet clients

Managing the Certificate Requests database

Submitting certificate requests from a Web browser

Processing the certificate requests

Retrieving requests results

Section 8. Revoking certificates and using the certificate

Remember, after a certificate is revoked, it can never again be trusted.

Regular and non-regular CRLs

tell ca CRL issue certifier_number

About the author

You might also like