Assigning a new key pair to a certifier

You can assign a new key pair to an IBM® Domino® certifier and roll over the current key pair.

Procedure

  1. In the Domino Administrator, click Configuration > Certification > Rollover Certifer Keys.
  2. In the Generate New Certifier Key dialog box, click Directory Server and specify a registration server in the list box that appears.
  3. Click ID file. In the Choose a Certifier ID dialog box, select the certifier ID file for which you want to assign new keys.
    1. Use the default server or click Server to specify a server.
      • If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors.
      • If you are using the Domino server-based CA, select the server that is used to access the Domino Directory to look up the list of certifiers.
        Note: This is also the server on which CERTLOG.NSF is updated.

      Then select one of these options:

    2. Supply a certifier ID and password.
      • Click Certifier ID if you want to use an ID other that which is displayed.
      • Otherwise, click OK, enter the password for the selected certifier ID, and click OK.
    3. Use the CA Process. If you have configured the Domino server-based CA, select a CA configured certifier from the list and click OK.
  4. At this point, the options in the Generate New Certifier Key dialog box change, depending on whether you chose a top-level certifier ID or an intermediate one.
    1. If you chose a top-level certifier ID, the dialog box shows the following information:
      The selected certifier is a top-level certifier and will re-certify itself.

      Click OK. This generates the new key pair and adds it to the top-level certifier ID.

    2. If you chose an intermediate-level certifier ID, the dialog box shows the following information:
      The selected certifier is not a top-level certifier and must be recertified by its parent certifier.

      Click Certify Using.

    The Choose a Certifier dialog box opens again. Follow the substeps from Step 3, this time to specify the parent certifier for the target CA ID file.

Results

The new key pair is generated and added to the top-level certifier ID.

If you chose to assign the keys directly to the certifying certifier's ID file, rather than choosing to use the CA process for key rollover, then key rollover happens immediately. However, if the CA process is chosen, the rollover sequence does not occur until the ID file of the CA being rolled over is opened to issue a certificate. When that happens, the directory on the registration server is searched for new certificates to be added to the certifier ID file.