User and server key rollover

Key rollover is the process used to update the set of Notes® public and private keys that is stored in user and server ID files. Periodically, this set of keys may need to be replaced -- as a precaution against undetected compromise of the private key; as a remedy to recover from a known compromise of the private key; or to increase security by updating to a larger key.

About this task

To configure triggers that initiate user key rollover, use a security settings policy document. To configure triggers that initiate server key rollover, use a Server document. Triggers include:

  • Existing key size
  • Issue date of existing key
  • Age of existing key

To configure user key rollover

To configure server key rollover

To configure user key rollover

Administrators can use key rollover to deploy replacement keys to groups of users through a Security settings policy document. For information, see Enabling key rollover in the topic Creating a security policy settings document.

Notes® users can also trigger key rollover by using the Create New Public Keys option in the User Security dialog box. If they choose Authentication protocol to as the certificate request method, the current keys are rolled over just as if it were triggered by a policy setting. If they choose Mail Protocol, the Domino® 6 and earlier mail method is used.

When a policy has been established, or if the user has triggered key rollover through the User Security dialog box, the next time the user authenticates with the home server, key rollover information is written to the ID file. When a trigger condition occurs and a user accepts the prompt to allow key rollover, key rollover is initiated and new keys are created in the user ID file and marked pending. When the user authenticates with the home server after the new/pending keys are generated, a Certify New Key Request is created in the Administration Requests database.

To complete the key rollover process:

Procedure

  1. In the Domino® Administrator, open the Administration Requests database.
  2. In the Certify New Key Requests view, select the request for the user, and then click Certify Selected Entries.
  3. In the Choose a Certifier dialog box, do one of the following:
    • If you are using a server-based certification authority, choose one from the drop-down list.
    • If you use the certifier ID, provide the certifier ID location and password.

    When the request is completed and the new keys are certified, the Person document is updated with new key and certificate information.

  4. In the Certificate Expiration Date dialog box, verify that the date is correct and click OK.
  5. In the Processing Statistics dialog box, verify that there are no failures and click OK.

Results

When the user next authenticates with the home server, a dialog box appears, asking the new user if they want to accept the new public keys. The user must click OK to accept the new certificates. The new/pending keys in the user's ID file are activated and the old keys are archived. The archived keys remain in the ID file so they are available to decrypt documents that were encrypted with that key.
Note: If user IDs are in an ID vault and enforce key checking is enabled in the Compare public keys field in the Security tab of a Server document, a user may be unable to log on to the server shortly after the key rollover. This occurs when the new key in the Person document is not yet in the local ID file because the Notes client hasn't synced with the vault. In this situation, the user can delete the local ID file or click File > Security > User Security and ID Vault Sync to download the latest ID file from the vault. The option Log public key mismatches near the Compare public keys field can help detect IDs for which this is a problem.

To configure server key rollover

Procedure

  1. In the Server document, click Administration.
  2. Complete the following fields:
    Table 1. Public Key Requirements fields

    Field

    Action

    Minimum allowable key strength

    Specify the weakest key size allowed for a server ID. Keys weaker than this will be rolled over.

    • No minimum (default)
    • Compatible with all releases (630 bits).
    • Compatible with Release 6 and later (1024 bits).
    • Compatible with Release 7 and later (2048 bits).

    Maximum allowable key strength

    Specify the strongest key size allowed. Keys stronger than this will be rolled over:

    • Compatible with all releases (630 bits).
    • Compatible with Release 6 and later (1024 bits) (default).
    • Compatible with Release 7 and later (2048 bits).

    Preferred key strength

    Specify the key strength to be used when a key is rolled over:

    • Compatible with all releases (630 bits).
    • Compatible with Release 6 and later (1024 bits) (default).
    • Compatible with Release 7 and later (2048 bits).

    Maximum allowable age for key

    Specify the maximum age, in days, that a key can reach before needing to be rolled over. Default is 36500 days (100 years)

    Earliest allowable key creation date

    Any key created prior to this date will be rolled over.

    Don't automatically generate a new key before

    Specify the earliest date on which keys not meeting key width requirements can be rolled over

    Maximum number of days the old key should remain valid after the new key has been created

    Specify the length of time that the old key can be used during network authentication. During Notes® key verification, all of the certificates, old and new, and all of the rollover keys are organized into a tree. That tree is traversed looking for a set of certificates that can be chained together to verify the key. If a certificate has expired, it cannot be used in that chain. When rolling over a key because you fear that it has been compromised, it is a good idea to set a short value for the length of time the old certificates issued to that key can be used. Valid values for this setting are 1 to 36500 days, and the default is 365.

  3. Close and save the document. Key rollover information is written to the server ID file. When a trigger condition occurs, key rollover is initiated and new keys are created in the server ID file and marked pending.
  4. Restart the server.
  5. In the Domino® Administrator, open the Administration Requests database.
  6. In the Certify New Key Requests view, select the request for the server, and then click Certify Selected Entries.
  7. In the Choose a Certifier dialog box, do one of the following:
    • If you are using a server-based certification authority, choose one from the drop-down list.
    • If you use the certifier ID, provide the certifier ID location and password.
  8. In the Certificate Expiration Date dialog box, verify that the date is correct and click OK.
  9. In the Processing Statistics dialog box, verify that there are no failures and click OK.
  10. At the server console, type tell adminp process all to complete the key certification processing.
  11. Type restart server.

Results

Restarting the server causes the server to read its configuration and accept the new certified keys.