You can set up a Domino® certifier
that uses the CA process server task to manage and process certificate
requests. The CA process runs as a process on Domino servers that are used to issue certificates.
When you set up a Notes® or
Internet certifier, you link it to the CA process on the server in
order to take advantage of CA process activities. Only one instance
of the CA process can run on a server; however, the process can be
linked to multiple certifiers.
You can set up both Notes and
Internet certifiers to use the CA process. Notes certifiers are registered and then migrated
to the CA process. Internet certifiers, however are created and registered
using the CA process.
Consider using the CA process because it:
- Provides a unified mechanism for issuing Notes and Internet certificates.
- Supports the registration authority (RA) role, which you use to
delegate the certificate approval/denial process to lower-echelon
administrators in the organization.
- Does not require access to the certifier ID and ID password. After
you enable certifiers for the CA process, you can assign the registration
authority role to administrators, who can then manage certificate
requests without having to provide the certifier ID and password.
- Simplifies the Internet certificate request process through a
Web-based certificate request database.
- Issues certificate revocation lists, which contain information
about revoked Internet certificates.
- Creates and maintains the Issued Certificate List (ICL), a database
that contains information about all certificates issued by the certifier,
including the policy and a copy of the certifier ID file.
- Is compliant with security industry standards for Internet certificates
-- for example, X.509 and PKIX.
To manage the CA process from the Domino console,
you use a set of server Tell commands.
Issued Certificate
List (ICL)
Each certifier has an Issued Certificate List
(ICL) that is created when the certifier is created or migrated to
the CA process. The ICL is a database that stores a copy of each certificate
that it has issued, certificate revocation lists (for Internet certifiers),
and CA configuration documents. Configuration documents are generated
when you create the certifier and sign it with the certifier's public
key. After you create these documents, you cannot edit them.
CA
configuration documents include:
- Certificate profiles, which contain information about certificates
that are issued by the certifier.
- CA configuration document, which contains information about the
certifier itself.
- RA/CA association documents, which contain information about the
RAs who are authorized to approve and deny certificate requests. There
is one document for each RA.
- ID file storage document, which contains information about the
certifier ID.
Another CA configuration document, the Certifier document,
is created in the Domino Directory
when you set up the a certifier. This document can be modified.
Certificate
Revocation List (CRL)
A CRL is a time-stamped list identifying
revoked Internet certificates -- for example, certificates belonging
to terminated employees. The CA process issues and maintains CRLs
for each Internet certifier. A CRL is associated with a certifier,
is signed by that certifier, and resides in the certifier's ICL database.
You
configure the CRL when you create a new Internet certifier. You can
specify the length of time for which a CRL is valid and the interval
between publication of new CRLs. After CRLs are configured, the certifier
issues them on a regular basis and they operate unattended.
Using
CRLs, you can manage the certificates issued in your organization.
You can easily revoke a certificate if the subject of the certificate
leaves the organization or if the key has been compromised. HTTP servers
and Web browsers check the CRLs to determine whether a given certificate
has been revoked, and is therefore no longer trusted by the certifier.
When you use Internet Site documents to configure Internet protocols
on the Domino, you can also
enable CRL-checking for each protocol.
There are two kinds
of CRLs: scheduled and immediate. For scheduled CRLs, you configure
a duration interval -- the time period for which the CRL is valid
-- and the interval at which new CRLs are issued. Each certifier
issues a CRL at the specified time, even if no certificates have been
revoked since the last CRL was issued. This means that if an administrator
revokes a certificate, it appears in the next scheduled CRL issued
by the certifier. The CRL duration period should be greater than the
time period between each CRL issuance. This ensures that the CRL remains
valid. Otherwise, the CRL could expire before a new one is issued.
However,
in the event of a critical security break -- for example, if the administrator
needs to revoke a particularly powerful certificate or the certifier
certificate is compromised -- you can manually issue an immediate
CRL (that is, an unscheduled CRL ) to enforce the emergency revocation.
This type of revocation does not affect either the timing or the content
of the next scheduled CRL. You use a Tell command to issue an immediate
CRL.