Managing certification using the Domino CA process rather than the Domino 5 Certificate Authority offers advantages. For more information on these advantages and how to set up the Domino CA process, see the topic "Domino server-based certification authority" in the Security section of the Domino Administrator Help.
There are cases when you might still want to use a Domino 5 Certificate Authority, however. For example, use it if you want to set up Domino for SSL using a third party certificate.
Creating the Domino Certificate Authority application
Creating a CA key ring file and certificate
Setting up a Domino 5 certificate authority
Configuring the Domino Certificate Authority application profile
Setting up SSL on the CA server
Displaying the CA key ring file
Exporting the CA key ring file
Signing server certificates
Viewing requests for certificates
Web Server Configuration documents
Creating a Web realm (Domino 5.0x)
Creating file protection for virtual servers
Creating the Domino Certificate Authority application
1. Set up the server as a Domino Web server. 2. Using the Domino Designer, create the Domino Certificate Authority application on the server using the Domino R5 Certificate Authority template (CCA50.NTF). To view the template file, select the option Advanced templates. You can name the application anything you wish -- for example, CERTCA.NSF. 3. Edit the ACL of the Domino 5 Certificate Authority database, as follows: - Add the names of the administrators who will issue and manage Internet certificates. Assign Editor with Delete access and the [CAPrivlegedUser] role to each administrator.
- Set the -Default- access to Author with Create documents privilege.
4. Create a CA key ring file and certificate. Tip To hide the Domino Certificate Authority application so that it doesn't appear when users choose File - Database - Open and when Web clients browse a database list, deselect "Show in Open Database Dialog" on the Tools tab in the Database Properties box. Creating a CA key ring file and certificate
When you use the Domino Administrator to create the CA key ring file, it is stored by default in the client's data directory. Make sure that you keep the key ring file in a secure location, especially if you copy it to a shared location. To prevent unauthorized access, only the administrators that you specify should have access to the CA's key ring file and password.
To create a CA key ring file and certificate 1. Make sure you created the Domino Certificate Authority application. 2. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 3. Click Create Certificate Authority Key Ring & Certificate. 4. Complete these fields: | Field | Action | | Key ring file name | Enter the explicit path and file name for the CA key ring. The default is CAKEY.KYR in the Domino Administrator's data directory. It's helpful to use the extension .KYR to keep server and CA key ring file names consistent. | | Key ring password | Specify a password for the key ring. | | Password verify | Enter the password entered into the previous field. This helps ensure the password is entered correctly. | | Key Size | Select the size of the public and private key pairs. The larger the size, the stronger the encryption. | | Common name | Enter a descriptive name that identifies the CA certificate -- for example, Acme SSLCA. | | Organization | Enter the name of the certifier organization. This is usually a company name, such as Acme. | | Organizational Unit | (Optional) Enter the division or department in which the certifier resides. | | City or Locality | (Optional) Enter the city or town where the certifier resides. | | State or Province | Enter three or more characters that represent the state or province where the certifier resides, such as Massachusetts. (For U.S. states, enter the complete state name, not the abbreviation.) | | Country | Enter the two-character representation of the country where the certifier resides -- for example, US for United States or CA for Canada. | Note The Common name, Organization, Organizational Unit, City or Locality, State or Province, and Country make up the CA server's distinguished name. Choose the CA name carefully; it is a costly process to reissue certificates if you change the name. 5. Click Create Certificate Authority Key Ring. 6. After you review the information about the key ring file and CA name, click OK. 7. Make a backup copy of the Certificate Authority key ring file, and store it in a secure location. 8. Configure the Domino Certificate Authority application profile. To change the password for the CA key ring file To ensure the continued security of the CA key ring file, periodically change its password. 1. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 2. Click View Certificate Authority Key Ring, and then click Change CA Key Ring Password. 3. Enter the old password, and then click OK. 4. Enter a new password, and then click OK.
Setting up a Domino 5 Certificate Authority
A Domino CA server hosts the Domino Certificate Authority application. Users, server administrators, and Domino CAs use the application to manage server and client certificates. Most organizations need only a single Domino CA server. To set up a Domino CA server, you must perform these tasks: 1. Set up the server as a Domino Web server. 2. Create the Domino 5 Certificate Authority application. 3. Create a CA key ring file and CA certificate 4. Configure the CA profile to specify key ring and mail settings. 5. Set up SSL on the CA server. Configuring the Domino Certificate Authority application profile
The Domino Certificate Authority application profile identifies the CA's key ring file and specifies the name of the CA server. Domino adds a link to the CA server when you send a message to clients and server administrators who request certificates. The clients and server administrators use this information to determine where to pick up certificates. 1. Make sure you created a CA key ring file and certificate. 2. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 3. Click Configure Certificate Authority Profile. 4. If necessary, enter the CA key ring path and file name in the CA Key File field. By default, Notes looks for the key ring file on the local hard drive. You can also specify a network drive accessible to other administrators. 5. Enter the TCP/IP DNS name of the server that runs the CA application in the Certificate Server DNS name field. Domino uses this name to indicate where to pick up signed certificates in the messages sent to administrators and clients. The following fields set default values for the Approved Client Certificates screen. You can override these when approving a certificate. | Field | Action | | Use SSL for certificate transactions? | Choose one: - Yes (default) to specify whether the e-mail message generated during the security request process includes a reference to the SSL port for secure certificate pick-up.
- No to specify SSL will not be used.
| | Certificate Server port number | Enter the number of the TCP/IP port for the server. Domino uses this port when sending an e-mail notification to clients to pick up certificates. The default is 80. | | Mail confirmation of signed certificate to requester? | Choose one: - Yes to generate an e-mail confirmation for a signed certificate request.
- No (default) to not send the confirmation.
| | Submit signed certificates to AdminP for addition to the Directory? | Choose one: - Yes (default) to submit the signed certificate request to the Administration Process, which then stores this certificate in the Domino Directory.
- No to not submit the certificate.
| | Default validity period | Specify the period, in years, for which the signed certificate is valid. Default is 2 years. | 6. Click Save & Close. 7. Set up SSL on the CA server. Setting up SSL on the CA server
Because server administrators and clients use browsers to access the CA server to request and pick up certificates, use SSL to protect the CA server. When you set up the CA server for SSL, you create the server key ring file and request a server certificate. Domino automatically approves the server certificate and merges the CA certificate as a trusted root. 1. Make sure you configured the Domino Certificate Authority application profile. 2. From the Domino Administrator, click the Files tab, and open the Domino Certificate Authority application. 3. Click Create Server Key Ring & Certificate. 4. Complete these fields: | Field | Action | | Key ring file name | Enter the name of the server key ring file. By default, this is stored in the data directory of the Domino Administrator used to create the file. Do not use the same name as the CA key ring file. | | Key ring password | Specify a password for the key ring. | | Password verify | Enter the password entered into the previous field. This helps ensure the password is entered correctly. | | Key size | Select the size of the public and private key pairs. The larger the size, the stronger the encryption. | | CA certificate label | Enter the label to display when you view the CA certificate in the server key ring file. | | Common name | Enter the TCP/IP fully-qualified host name -- for example, www.lotus.com. Set up the server certificate so that the common name matches the DNS name, since some browsers check for this match before allowing a connection. | | Organization | Enter the name of the certifier organization. This is usually a company name, such as Acme. | | Organizational Unit | (Optional) Enter the division or department where the certifier organization resides. | | City or Locality | (Optional) Enter the city or town where the certifier organization resides. | | State or Province | Enter three or more characters that represent the state or province where the certifier organization resides, such as Massachusetts. (For U.S. states, enter the complete state name, not the abbreviation.) | | Country | Enter a two-character representation of the country where the certifier organization resides -- for example, US for United States or CA for Canada. | 5. Click Create Server Key Ring. 6. Enter the CA key ring file password, and then click OK. The server SSL key ring file is created. 7. Copy the server key ring file to the Domino data directory on the server. The Domino Certificate Authority application creates the file locally; however, the server needs the key ring file to use SSL. Note If you choose to store the server key ring file in some place other than the Domino data directory, you must specify the full directory path to it in the Server document or Site document. 8. Configure the SSL port. 9. Enable server authentication on the server. Displaying the CA key ring file
1. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 2. Click View Certificate Authority Key Ring. 3. Click Display CA Key Ring. 4. Enter the password when prompted. 5. Double-click the CA Key Pair document you want to open and view. 6. To exit the document after viewing, click Close.
Exporting the CA key ring file
Export the CA key ring to a text file to troubleshoot problems with the CA server and compare key ring files.
1. From the Domino Administrator, click Files, and open the Domino Certificate Authority application. 2. Click View Certificate Authority Key Ring. 3. Click Dump CA Key Ring to Text. 4. Enter the password when prompted. 5. Enter the name of the file to which you want to export the key ring. Notes creates this text file and places it in the data directory. 6. To view the text file, open it with a text editor.
Signing server certificates
The certificate authority signs a server certificate to add its digital signature to the certificate. A request for a server certificate appears in the Server Certificate Requests view in the Domino Certificate Authority application. When the certificate authority signs a certificate, the certificate authority can automatically notify the requesting server administrator by e-mail. The e-mail describes how to pick up the certificate and includes a pick-up ID, which the server administrator must use to identify the certificate during the pick-up process. Domino automatically generates the pick-up ID.
To sign a server certificate with a Domino 5 Certificate Authority Before you begin, make sure that: - The requesting server administrator has merged the Certificate Authority's certificate into the server key ring as a trusted root.
- You understand your organization's policy on signing certificates. Sign certificates only if the certificate requests comply with your organization's security policy.
1. From the Domino Administrator, click Files and open the Domino Certificate Authority application. 2. Click Server Certificate Requests. 3. Open the request to sign. 4. Review the user information and distinguished name. Make sure that the information provided complies with your organization's security policy. If you want to deny the request, complete Step 5. Otherwise, go to Step 6. 5. To deny the request, do the following: - Enter a reason for the denied request.
- If you do not want to notify the server administrator by e-mail, deselect "Send a notification email to the requester." Otherwise, Domino sends the server administrator an e-mail indicating that you denied the request and the reason why you denied the request.
- Click Deny.
6. To approve the request, do the following: - Enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can enter several years.
- If you do not want to notify the server administrator by e-mail to pick up the certificate, deselect "Send a notification email to the requester." Otherwise, Domino sends the server administrator an e-mail with a URL indicating the location to pick up the certificate.
- Click Approve.
- Enter the password for the CA's key ring file, and then click OK.
7. Have the server administrator complete the procedure "Merging a server certificate into the key ring file." Viewing requests for certificates
Domino certificate authority administrators can view information about server and client certificates waiting for approval, approved requests waiting for pick-up, and requests that have been denied.
1. From the Domino Administrator, click Files and open the Domino Certificate Authority application. 2. Click Server Certificate Requests or Client Certificate Requests. 3. Use the Actions menu to display requests waiting for approval, approved requests, and denied requests. Web Server Configuration documents
If you are migrating your site from Domino 5 to a later release you do not need to immediately convert from the old view to the new view. However, you will need to convert to the Internet Sites view to take advantage of many of the Web Site features. Many of the HTTP task Server record settings used in Domino 5 are now available in the Web Site document. If you enable the Internet Sites view, the HTTP task uses the Web Site settings instead of those in the Server record.
Hosting Web sites using Web Server Configurations Lotus Domino 5 uses the model of multiple virtual servers that are associated with a single Domino Web server. Each site is configured with its own IP address; default home page; customized Web server message; and HTML, CGI, and icons directories. All of the virtual servers share a single Domino data directory. You set up each virtual server with a network connection with its own separate, permanent numeric IP address or map multiple host names to the same IP address. The number of virtual servers is dependent only on your operating system and the system hardware. See your operating system documentation and hardware documentation for more information.
Creating a Web realm (Domino 5.0x)
1. Do one of the following: - From the IBM Lotus Domino Administrator, click Configuration and click Servers.
- If you are creating a Web Realm document for a virtual server, click Web - Web Server Configurations.
2. Do one of the following: - Open the Server document for the server to which the Web realm will apply.
- If you are creating a Web Realm document for a virtual server, open the Virtual Server document.
3. Click "Create Web (R5)" and choose Realm. 4. Complete these fields and then save the document: | Field | Enter | | IP Address | (Optional) The IP address of the virtual server. Complete this field only if you are creating a Web realm for a virtual server. | | Path | Enter the name of the path that you want to protect. It should be in either the fully-qualified path format, which includes the drive letter; for example, use "c:\lotus\domino\data\domino\cgi-bin," or the relative path to the server's data directory for example, "domino\cgi-bin." | | Realm returned to browser when access is denied | Enter a text string that describes the location on the server or any other descriptive string, which will be used as the realm that is displayed to the user and stored by the browser. This string should not contain any accented or international characters, because they will not be displayed correctly by the browser. The browser displays the text string whenever there is an authentication or authorization failure at the location. The text appears in the browser's authentication dialog. | 5. Enter this command at the console so that the settings take effect: tell http restart Creating file protection for virtual servers
Do one of the following: - From the IBM Lotus Domino Administrator, choose Configuration - Servers, and open the Server document for the server to which the file protection will apply.
- If you are creating a File Protection document for a virtual server, chose Web - Web Server Configurations, and open the Virtual Server document.
1. Click Create Web (R5) and choose File Protection. 2. Click the Basics tab, and complete these fields: | Field | Action | | Applies to | (Read-only) This setting applies to the base server, and all virtual servers or virtual hosts that do not have file protection settings. If a virtual server or virtual host has any file protection settings, then this setting does not apply. | | Path | Specify the drive, directory, or file to which you want to restrict access. You can use fully-qualified path or the relative path. | 3. Click Access Control, complete this field, and then save the document: | Field | Enter | | Current access control list | The users and groups who can access the files or directories you specified and the type of access they are allowed. By default, the access control list contains a -Default- entry, set to No Access. Users who are not listed in this field receive the -Default- access level. To add users to this list: - Click Set/Modify Access Control List.
- Select a user name or group from the Domino Directory or enter a name in the Name field.
- Select "Read/Execute access (GET method)," or "Write/Read/Execute access (POST and GET methods)," "No Access."
- Click Next to add this entry to the access list.
Note GET lets the user open files and start programs in the directory. POST is typically used to send data to a CGI program; therefore, give POST access only to directories that contain CGI programs. No Access denies access to the specified user or group. To remove an entry from the list, select the entry and click Clear. If users connect to the server using Anonymous access, enter Anonymous in the Name field and assign the appropriate access. | 4. Enter this command at the console to refresh the server settings: tell http refresh Domino displays the File Protection document as a response to the Server document. | 
