Certifier IDs and certificates

Certifier IDs and certificates form the basis of IBM® Domino® security. To place servers and users correctly within your organization's hierarchical name scheme, you create a certifier ID for each branch on the name tree. You use the certifiers during server and user registration to "stamp" each server ID and user ID with a certificate that defines where each belongs in the organization. Servers and users who belong to the same name tree can communicate with each other; servers and users who belong to different name trees need a cross-certificate to communicate with each other.

Note: You can register servers and users without stamping each server ID and user ID if you have migrated the certifier to a Domino® server-based certification authority (CA).

Each time you create a certifier ID, Domino® creates a certifier ID file and a Certifier document. The ID file contains the ID that you use to register servers and users. The Certifier document serves as a record of the certifier ID and stores, among other things, its hierarchical name, the name of the certifier ID that issued it, and the names of certificates associated with it.

Note: During server setup, you can use an existing certifier ID instead of creating a new one. The certifier ID that you specify cannot have multiple passwords assigned to it. Attempting to user a certifier ID with multiple passwords generates an error message and causes server setup to halt.

There are two types of certifier IDs: organization and organizational unit.

  • Organization certifier ID

    The organization certifier appears at the beginning of the name tree and is usually the name of the company -- for example, Renovations. During first server setup, the Server Setup program creates the organization certifier and stores the organization certifier ID file in the Domino® data directory, giving it the name CERT.ID. During first server setup, this organization certifier ID automatically certifies the first Domino® server ID and the administrator's user ID.

    If your company is large and decentralized, you might want to use the Domino® Administrator after server setup to create a second organization certifier ID to allow for further name differentiation -- for example, to differentiate between company subsidiaries.

  • Organizational unit certifier IDs

    The organizational unit certifiers are at all the branches of the tree and usually represent geographical or departmental names -- for example, East/Renovations or Sales/East/Renovations. If you choose to, you can create a first-level organizational unit certifier ID during server setup, with the result that the server ID and administrator's user ID are stamped with the organizational unit certifier rather than with the organization certifier. If you choose not to create this organizational unit certifier during server setup, you can always use the Domino® Administrator to do it later -- just remember to recertify the server ID and administrator's user ID.

    You can create up to four levels of organizational unit certifiers. To create first-level organizational unit certifier IDs, you use the organization certifier ID. To create second-level organizational unit certifier IDs, you use the first-level organizational unit certifier IDs, and so on.

    Using organizational unit certifier IDs, you can decentralize certification by distributing individual certifier IDs to administrators who manage users and servers in specific branches of the company. For example, the Renovations company has two administrators. One administers servers and users in West/Renovations and has access to only the West/Renovations certifier ID, and the other administers servers and users in East/Renovations and has access to only the East/Renovations certifier ID.

By default, the Server Setup program stores the certifier ID file in the directory you specify as the Domino® data directory. When you use the Domino® Administrator to create an additional organization certifier ID or organizational unit certifier ID, you specify where you want the ID stored. To ensure security, store certifiers in a secure location -- such as a disk locked in a secure area.

To provide ID and password recovery for IBM® Notes® users, you need to set up recovery information for each certifier ID. Before you can recover user ID files, you need access to the certifier ID file to specify the recovery information, and the user ID files themselves must be made recoverable. There are three ways to do this:

  • At user registration, create the ID file with a certifier ID that contains recovery information.
  • Export recovery information from the certifier ID file and have the user accept it.
  • (Only for servers using the server-based certification authority) Add recovery information to the certifier. Then, when existing users authenticate to their home server, their IDs are automatically updated.