Administering a Domino CA

There are a number of tasks associated with managing a IBM® Domino® certifier. If you implement a certifier that uses the CA process, you can delegate IBM Notes® and Internet certificate request approval and denial to other administrators, each of whom acts as a registration authority. Many of the manual tasks associated with managing a CA in prior versions of Domino are automated when you use the CA process.

Domino certificate authority administrator tasks

The CAA must have at least Editor access to the master Domino Directory for the domain.

As a best practice, designate at least two CAAs for each certifier. You then have a backup if one leaves the organization.

Note: By default, the administrator who creates a certifier is automatically designated as both a CAA and an RA for that certifier. When you create additional CAAs, they must be assigned the RA role in order to approve or deny a certificate request.

The Domino certificate authority administrator (CAA) is responsible for these tasks:

  • Create and configure certifiers.
  • Modify certifiers. For example, only a CA administrator can edit ID recovery information for a Notes certifier.
  • Add or remove Certification and Registration Authority administrators, or change the CA and RA roles assigned to users.

Domino Registration Authority administrator tasks

A registration authority (RA) administrator approves or denies Notes or Internet certificate requests, and, if necessary, revokes Internet certificates. While a CA administrator can also be a registration authority, the main advantage of having a separate RA role is to offload these tasks from the Domino and/or CA administrator. Moreover, the Domino administrator can establish one or more RAs for each certifier enabled for the CA process.

An RA should approve only those requests that will be accepted by the certifier. The CA Configuration and Certificate Profile documents, stored in the CA's Issued Certificate List (ICL) database, describes what is acceptable. A current valid copy of the document is also stored with the certifier document as an attachment.

Domino administrators who register Notes users should also be listed as RAs for the Notes certifier, to minimize the steps that are needed to have a certificate issued by the certifier.

If you are using the Web Administrator client, you need to set up a server-based certification authority to register Notes users. The Web administrator, as well as the server on which the Web Administrator database resides, must be listed as an RA for that certifier.

The Domino Registration Authority (RA) administrator is responsible for these tasks:

  • Approve or deny Internet certificate requests.
  • Revoke certificates if they can no longer be trusted, such as if the subject of the certificate leaves the organization, or if the key has been compromised.
Note: If you need RAs to be able to register users, they must have at least Author access to the master Domino Directory for the domain, with both the privilege "Create document" and role "User Creator" enabled. This is the same access required by a Domino administrator to register Notes users.