Signing an Internet client certificate and adding the certificate to the Domino® Directory

When a CA signs an Internet client certificate, the CA adds a digital signature to the certificate and, if you are using a Domino® CA, adds the public key to the Domino® Directory. If you are using a third-party CA, you must complete additional steps to add the public key to the Domino® Directory.

About this task

You do not need to complete these steps if you are using a Notes® client and the CA issued certificates in the Person document of the Domino® Directory. Notes® automatically adds Internet certificates stored in the Person document to the Notes® ID file when the user authenticates with the server.

The steps you follow to sign and add an Internet client certificate to the Domino® Directory depend on whether the certificate is issued from a Domino® server-based certification authority, a Domino® 5 Certificate Authority, or a third-party CA.

Before you approve client certificates for signing:

  • Make sure you understand your organization's policy on signing certificates. Sign client certificates for clients if the certificate requests comply with your organization's security policy.
  • Make sure you have the Administration Process set up on the server. If you are signing a certificate for an Internet client, make sure you created a Person document.

Domino® server-based certification authority

About this task

The steps are completed by the Domino® CA. You must be a registration authority (RA) to approve client certificates for signing.

Procedure

  1. From the Domino® Administrator, click Files, and open the Domino® Certificate Requests application.
  2. Transfer the certificate request into the Administration Requests database.
    1. In the Certificate Requests database, open the Pending/Submitted Requests view. Press F9 to refresh the view if the client request does not appear there.
    2. If the view shows that the request has been Submitted to Administration Process, go to the next step. If it is still in the Pending state, highlight the request and click Submit Selected Requests.
    3. You should see a Successfully submitted 1 request(s) to the Administration Process message. Click OK.
  3. Approve or deny the request.
    1. Open the Administration Requests database (ADMIN4.NSF), open the Certification Authority Requests/Certificate Requests view, and find the new client request.
    2. Open the request and verify the information in it.
    3. Click Edit Request, and then click either Approve Request or Reject Request. Press F9 to make sure that the request changes state, from New to Approved (or Rejected).
  4. Transfer the certificate request out of the Administration Requests database.
    1. Close the Administration Requests database and return to the Certificate Requests database.
    2. Open the Issued/Rejected Certificates view and locate the client request (you may need to refresh the view).
  5. Notify the user who requested the client certificate.
    1. If you enabled the option for email confirmation upon completion of the client request, then the once, the CA automatically notifies the requester to pick up the certificate. If it is denied, it sends the requester email indicating that the request was rejected.
    2. If you did not enable the option for email confirmation upon completion of the client request, then you need to click Send Confirmation Mail to notify the requester of the outcome.

Results

Note: If the Certificate Requests database is configured for automatic request processing, then client requests are sent to the Administration Requests database automatically by the database. The Registration Authority only to approve or reject the request.

Domino® 5 Certificate Authority

About this task

The Internet certificate request appears in the Client Certificate Requests view in the Domino® Certificate Authority application. When the CA signs a certificate, the CA can automatically send email to the client. This email describes where to pick up the certificate and includes a pickup ID, which the client must use to identify the certificate during the pickup process. Domino® automatically generates the pickup ID.

Note: The following steps apply to signing client certificates issued by a Domino® CA. The steps are completed by the Domino® CA.

Procedure

  1. From the Domino® Administrator, click Files, and open the Domino® Certificate Authority application.
  2. Click Client Certificate Requests.
  3. Open the request you want to sign.
  4. Review the user information and distinguished name. Make sure the information provided complies with your organization's security policy.
  5. Leave the option Register certificate in the Domino Directory selected to add the client's public key automatically to the Person document.

    If you want to deny the request, complete step 6. Otherwise, go to step 7.

  6. To deny the request:
    1. Enter a reason for the denied request.
    2. If you do not want to send the person email, deselect Send a notification email to the requester. Otherwise, the Domino® Certificate Authority application sends the person email indicating that you denied the request and the reason why you denied the request.
    3. Click Deny.
  7. To approve the request:
    1. Enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can enter several years.
    2. If you do not want to send the client email indicating that the client can now pick up the certificate, deselect Send a notification email to the requester. Otherwise, the Domino® Certificate Authority application sends an email with a URL indicating the location to pick up the certificate.
    3. Click Approve and enter the password for the CA key ring file. This places a request in the Administration Requests database. When the Administration Process next runs, it processes the request and adds the certificate to the client's Person document in the Domino® Directory.
      Note: The client cannot use the certificate to authenticate against database ACLs until the Administration Process completes the request.

Third-party CA

About this task

If a user obtains an Internet certificate from a third-party CA using the Notes® client, the certificate is automatically added to their Person document.

If a user obtains an Internet certificate from a third-party CA through a browser, the certificate must then be added to their Person document.