Creating the Certificate Requests database

Each Internet certifier you create requires a Certificate Requests database (CERTREQ.NSF) to manage the server keyring file and allow users to request client certificates from the browser or through email. This database stores active certificate and revocation requests that have been submitted to the Administration Process for processing. Using a browser-based interface, servers and clients request certificates and pick up issued certificates.

About this task

You can store Certificate Requests databases on any server in the domain, including servers that reside outside of a network firewall.

For more information on using the Certificate Requests database to process certificate requests, see the related information.

Procedure

  1. Choose File > Application > New and select the server to store the Certificate Requests database.
  2. Enter the database title, for example Certificate Requests.
  3. Enter the file name, for example certreq.nsf
  4. Choose the Certificate Requests template (CERTREQ.NTF).
  5. Click OK. When the Certificate Requests database has been created, it will open and the "About..." document will appear.
  6. Close the "About..." document, and the Database Configuration form will appear.
  7. In the Database Administration section, complete these fields:
    Table 1. Database Administration section

    Field

    Action

    Supported CA

    Do the following:

    1. In the Server field, enter the name of the server that hosts the Internet certifier.
    2. In the Certifier field, enter the name of the Internet certifier to associate with the Certificate Request database.

    Supported certificate types

    Choose one:

    • Client certificates only -- Select this option if the certifier will issue client Internet certificates. Do not select this option if you want to create a server key ring for TLS. If you select this option, you must customize client requests.
    • Server certificates only -- Select this if the certifier will issue server Internet certificates. If you select this option, you must customize server requests.
    • Both client and server certificates -- Select this if the certifier will issue both client and server Internet certificates. If you select this option, then you need to customize both server and client requests.
  8. Optional: In the Client Request Customization section, complete these fields:
    Table 2. Client Request Customization section

    Field

    Action

    Validity period

    Enter the number of years that client requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.

    Key usages

    Choose the default key usage that will be submitted in client certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for a client S/MIME certificate.

    Extended key usages

    Choose the default extended key usage that will be submitted in client certificate requests generated from this database. Default settings are Client Authentication and Email Protection.

  9. Optional: In the Server Request Customization section, complete these fields:
    Table 3. Server Request Customization fields

    Field

    Action

    Validity period

    Enter the number of years that server requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.

    Key usages

    Choose the default key usage that will be submitted in server certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for an TLS server certificate.

    Extended key usages

    The default extended key usage that will be submitted in server certificate requests generated from this database. Default is Server Authentication.

  10. For Processing method, choose the method by which requests are submitted to the Administration Process:
    • Manual (default) -- Choose this if you want an administrator to review requests submitted to the Certificate Requests to approve or deny each request individually before it is submitted to the Administration Request database (admin4.nsf) for further processing.
    • Automatic -- Choose this to have requests submitted to the Administration Request database processed without administrator intervention. Requests will be approved or denied according to the certificate policy. If this method is chose, the Automatic Transfer Server field appears, in which you need to specify the server running the administration process and to which certificate requests will automatically be transferred.
      Note: If the Automatic method is chosen, the administrator (signer of the agent) must be listed in the group of users who can run unrestricted methods and operations on the server. This can be set on the Security tab in the Server document. There must also be a replica of the Certificate Requests database on the specified transfer server.
  11. For Mail notification, choose whether or not to send e-mail notification when a certificate request has been processed by the CA.
    • Yes (default) -- Choose this if you want the requester to be notified by e-mail when a certificate request has been processed by the CA.
    • No -- Choose this if you do not want the requester to be notified by e-mail when a certificate request has been processed by the CA.
  12. Click Save & Close.