Professional Documents
Culture Documents
06 Feb 2003 This tutorial explains how to implement the Public Key Infrastructure (PKI) security technology built into Domino 6. Fully compliant with X.509/Public Key Infrastructure (PKIX), the new technology enables developers to establish certificate authority (CA) in just minutes. The tutorial explains how to generate and manage X.509 certificates for both Notes and Internet clients.
Section 1. Introduction
Should I take this tutorial?
This tutorial is for advanced Domino administrators who want to use the new Public Key Infrastructure (PKI) features included in Domino R6. It covers essential setup and configuration for using digital certificates with Domino 6. You should be familiar with the following technologies: PKI technology, terms, and procedures X.509 certificates and PKIX standards Domino administration
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 1 of 27
developerWorks
ibm.com/developerWorks
Tools
You need to have these applications installed to follow along with the examples in this tutorial: Lotus Domino Server 6, Lotus Notes 6 and Domino Administrator 6. Download a free trial version. Any Web browser with X.509 certificates support, for instance Mozilla 1.x, Netscape 4.x and above, or Microsoft Internet Explorer 4.x and above.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 2 of 27
ibm.com/developerWorks
developerWorks
Make sure that your Domino environment is configured this way: The administrator's current location document should at least point to the home server and directory server in the same domain as the CA server. The mail file location on the Mail tab of the administrator's location document must point to the server on which the CA process is running. CA administrators must have at least Editor access to the master Domino Directory for the domain. Administrators must check if the Fully qualified Internet host name field on the Basic tab in "Current Server Document" contains a Fully Qualified Domain Name (FQDN) and modify it only if the default value is wrong. This is because X.509 certificates identify users and hosts using FQDN (ibm.com and lab1.lotus.net are examples of FQDN).
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 3 of 27
developerWorks
ibm.com/developerWorks
It does not require access to the certifier ID and ID password. After you enable certifiers for the CA process, you can assign the registration authority role to administrators, who can then register users and manage certificate requests without having to provide the certifier ID and password. It simplifies the Internet certificate request process through a Web-based certificate request database. It issues certificate revocation lists, which contain information about revoked or expired Internet certificates. It is compliant with security industry standards for Internet certificates X.509 and PKIX. In later sections you will see how to set up the new, server-based CA feature of Domino 6 PKI. Domino CA applications based on the earlier versions still work, but they lack CRL and certificate-revocation support.
If you want the ca task to start automatically with the Domino server, add ca to the
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 4 of 27
ibm.com/developerWorks
developerWorks
"ServerTasks=" section of the server's notes.ini file. You can choose which certifier to enable under the CA process. Of course you can enable both Internet and Domino certifiers for the CA process or use the more old-fashioned certifier ID file for Notes clients and the CA process for Internet certifiers. Because the Domino Process Manager controls the ca task, you can speed up processing CA requests by entering the following at the server console:
tell adminp process all tell ca refresh tell ca stat
The last command shows whether the changes have been processed. You can find more help by entering load ca -? on the server console.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
developerWorks
ibm.com/developerWorks
4.
Once on the Basics tab, click Create the certifier name and specify the following parameters: Common name (required): the certifier name (Common Name, in the example, is LAB) Organizational unit (optional): the name of the certifier's organizational unit Organization (optional): the name of the certifier's organization City or locality (optional): the organization's city State or province (optional): the full name of the state or province in which the organization resides Country (optional): the two-character abbreviation for the country in which the organization resides
5. 6.
Choose the server where you want to store the certifier. Click OK to accept all of your settings.
You can modify the default ICL database name (for example, icl\icl_lab.nsf) before you accept the certifier parameters, but that's not recommended.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 6 of 27
ibm.com/developerWorks
developerWorks
4. 5.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
developerWorks
ibm.com/developerWorks
6. 7.
Fill in the other optional fields on the Certificates tab if necessary for your environment. Add a certifier to the CA process by entering these commands on the server console:
8.
Check to see whether if the new certifier has been added by entering this console command:
tell ca stat
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 8 of 27
ibm.com/developerWorks
developerWorks
server-based CA process (this also applies to any standard CA keyrings exported from any CA), follow these steps: 1. 2. 3. 4. From the Domino Administrator, click Configuration. On the Tools pane, select Registration=>Internet Certifier. In the Register Internet Certifier dialog box, select "I have a key ring file I want to register." Complete the Migrate Certifier as described in steps 3 through 8 in the procedure from Migrating Notes certifiers to the CA process.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 9 of 27
developerWorks
ibm.com/developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 10 of 27
ibm.com/developerWorks
developerWorks
If you encrypt the certifier ID with a locking or selected ID, the certifier is locked when you create it; unlock it with this console command:
tell ca unlock ID file password
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 11 of 27
developerWorks
ibm.com/developerWorks
2. 3. 4. 5.
Set certificate duration. Define the key usage as appropriate. Set the certificate purposes, as necessary. Use of the option for including additional certificate fields about CRL distribution point, if necessary. Click OK to accept your Certificates settings.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 12 of 27
ibm.com/developerWorks
developerWorks
After you've created an Internet certifier document, you need to add the certifier to the CA process with these server-console commands:
tell adminp process all tell ca refresh
A certifier number is assigned by the CA process during certifier registration. When you issue the tell ca stat command for a new certifier, you can see the number assigned to the certifier. If the certifier is password protected, you use this command for activating the password:
tell ca activate certifier_number password
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 13 of 27
developerWorks
ibm.com/developerWorks
it. 3. 4. 5. Click Edit Certifier. On the CA Configuration tab, shown in the figure, select No for Process Enabled to disable the CA process for the certifier. Click Save & Close.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 14 of 27
ibm.com/developerWorks
developerWorks
secure Web communication (using SSL from Notes browser), two methods of communication that are becoming more and more popular in the Internet. A Notes user ID file can store both Notes and Internet certificates. Notes certificates are always present, but Internet certificates must be issued by Domino administrators for each user. Fortunately it is possible to automate the issuance of Internet certificates using the existing public and private keys in the Notes ID file and then adding it to the user's Person document in the Address book. Using the Domino Directory to issue Internet certificates automates the distribution of Internet certificates to Notes users. Start by making sure that all Notes users have valid Internet addresses specified in their Person documents. In addition, you must add an Internet certificate created with CA process to selected users in Domino Address book. 1. 2. 3. 4. 5. 6. 7. From the Domino Administrator, click People & Groups. Select the names of the users who need Internet certificates. Choose Actions=>Add Internet Cert to Selected People. Select the correct registration server, which appears at the top of the dialog box next to the Server button. Choose option to use CA process. Choose the Supply the certifier key ring file and password option if you want to use the flat CA's key ring file. In the Add Internet Certificates to Selected Entries dialog box, confirm that the expiration date is valid. Change the date, if necessary.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 15 of 27
developerWorks
ibm.com/developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 16 of 27
ibm.com/developerWorks
developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 17 of 27
developerWorks
ibm.com/developerWorks
1. 2. 3. 4. 5.
Choose File=>Database=>New and select the server where you want to store the Certificate Requests database. Enter the database title and file name (certreq.nsf in the example). Choose the Certificate Requests (R6) template (certreq.ntf). The Certificate Requests database opens when it has been created. Review the configuration document for that the new Certificate Requests database. Check the following fields: Server name with CA process running Certifier Supported certificate types (server, client, or both)
6.
Review the other fields; most of them are optional, but you may need to fill some in for your local situation.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 18 of 27
ibm.com/developerWorks
developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 19 of 27
developerWorks
ibm.com/developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 20 of 27
ibm.com/developerWorks
developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 21 of 27
developerWorks
ibm.com/developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 22 of 27
ibm.com/developerWorks
developerWorks
Generating CRL
You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis, and they operate unattended. Using CRLs, you can manage the certificates issued in your organization. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked and is therefore no longer trusted by the certifier.
Issue a non-regular CRL for a specific certifier, where certifier_number is the number of the certifier specified in the results of the tell ca status command.
Revoking certificates
Sometimes it is necessary to revoke certificates when they can no longer be trusted, for example, when they have been compromised or stolen. When such a situation happens, the certificate administrator should issue a non-regular CRL. To revoke a certificate:
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 23 of 27
developerWorks
ibm.com/developerWorks
1. 2. 3. 4. 5. 6.
From the Domino Administrator, select the Files tab. Open the ICL database (from the /icl directory) for the certifier that issued the certificate you need to revoke. Select the Issued Certificates\By Subject Name view and double-click the Issued Certificate document for the certificate you want to revoke. Click Revoke Certificate. Choose the reason for revoking the certificate in the Revocation Reason. Issue a non-regular CRL by issuing the following command on the console:
The next time the CA process refreshes, the Issued Certificate document updates to indicate that the certificate has been revoked. When you next open the Issued Certificate document, the Revocation Information section should indicate that the certificate has been revoked. You will find here also the revocation date and time, the reason for the certificate's revocation, and date and time the certificate became invalid.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 24 of 27
ibm.com/developerWorks
developerWorks
Section 9. Summary
Summary
This tutorial explained a new X.509 implementation in Domino 6 from a practical point of view, teaching you how to implement and maintain basic procedures for issuing and managing X.509 certificates in Domino 6 for both Notes and Internet clients. This tutorial covered: How the Certificate Authority process of Domino 6 differs from the Certificate Authority application in Domino R5 The new PKI functionality in Domino 6 How to set up server-based Certificate Authority with Domino 6 Details for configuring certifiers and issuing certificates with Domino CA How to revoke certificates and manage CRL Issuing Internet certificates for Internet clients (Web browsers) and Notes client Storing Internet certificates in a Person document in the Domino Directory
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 25 of 27
developerWorks
ibm.com/developerWorks
Resources
Learn For excellent coverage of Open Source PKI implementations, see the Open Source PKI Book, a comprehensive Public Key Infrastructures and the PKIX standards review. Read this detailed Overview of Certification Systems: X.509, CA, PGP and SKIP. The X.509 Style Guide provides a detailed coverage of X.509 encoding issues. The RFC Editor Web site provides information on Request for Comments (RFC) documents about X.509/PKIX. The documents include: PKIX Certificate Management Protocols: RFC 2510; Operational protocols: RFC 2559, RFC 2585, RFC 2560; Certificate Policy and Certification Practices Framework: RFC 2527; and Profiles of X.509 v3 Public Key Certificates and X.509 v2 Certificate Revocation Lists (CRLs): RFC 2459. The Lotus Developer Domain article, "Be the authority on the Domino 6 Certificate Authority", is a good introductory review for Domino 6 CA. IBM's Redbook, Lotus Notes and Domino R5.0 Security Infrastructure Revealed is a good starting point for learning about X.509 in Domino. For an in-depth view on S/MIME, see the Lotus Developer Domain article, "Enhancing e-mail security with S/MIME". For an old but still informative article on CA in Domino 4.6, see "Trust yourself: Become your own Certification Authority". Web Security & Commerce by Simson Garfinkel and Gene Spafford (O'Reilly & Associates, 1997) is the bible for securing network services and infrastructure. Digital Certificates by Jalal Feghhi, Jalil Feghhi, and Peter Williams (Addison-Wesley, 1999) is the bible on PKI and certificates. Stay current with developerWorks technical events and Webcasts. Get products and technologies Jonah PKIX Freeware Distribution - Open Source PKIX Public Key Infrastructure toolkit. Build your next development project with IBM trial software, available for download directly from developerWorks. Discuss Participate in the discussion forum for this content.
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 26 of 27
ibm.com/developerWorks
developerWorks
Creating and using the certificate authority in Lotus Domino 6 Copyright IBM Corporation 2003. All rights reserved.
Trademarks Page 27 of 27