Signing an Internet client certificate and adding the certificate to the Domino Directory
When a CA signs an Internet client certificate, the CA adds a digital signature to the certificate and, if you are using a Domino® CA, adds the public key to the Domino Directory. If you are using a third-party CA, you must complete additional steps to add the public key to the Domino Directory.
About this task
You do not need to complete these steps if you are using a Notes® client and the CA issued certificates in the Person document of the Domino Directory. Notes automatically adds Internet certificates stored in the Person document to the Notes ID file when the user authenticates with the server.
The steps you follow to sign and add an Internet client certificate to the Domino Directory depend on whether the certificate is issued from a Domino server-based certification authority, a Domino 5 Certificate Authority, or a third-party CA.
Before you approve client certificates for signing:
- Make sure you understand your organization's policy on signing certificates. Sign client certificates for clients if the certificate requests comply with your organization's security policy.
- Make sure you have the Administration Process set up on the server. If you are signing a certificate for an Internet client, make sure you created a Person document.
Domino server-based certification authority
About this task
The steps are completed by the Domino CA. You must be a registration authority (RA) to approve client certificates for signing.
Procedure
- From the Domino Administrator, click Files, and open the Domino Certificate Requests application.
- Transfer the certificate request into the Administration
Requests database.
- In the Certificate Requests database, open the Pending/Submitted Requests view. Press F9 to refresh the view if the client request does not appear there.
- If the view shows that the request has been Submitted to Administration Process, go to the next step. If it is still in the Pending state, highlight the request and click Submit Selected Requests.
- You should see a Successfully submitted 1 request(s) to the Administration Process message. Click OK.
- Approve or deny the request.
- Open the Administration Requests database (ADMIN4.NSF), open the Certification Authority Requests/Certificate Requests view, and find the new client request.
- Open the request and verify the information in it.
- Click Edit Request, and then click either Approve Request or Reject Request. Press F9 to make sure that the request changes state, from New to Approved (or Rejected).
- Transfer the certificate request out of the Administration
Requests database.
- Close the Administration Requests database and return to the Certificate Requests database.
- Open the Issued/Rejected Certificates view and locate the client request (you may need to refresh the view).
- Notify the user who requested the client certificate.
- If you enabled the option for email confirmation upon completion of the client request, then the once, the CA automatically notifies the requester to pick up the certificate. If it is denied, it sends the requester email indicating that the request was rejected.
- If you did not enable the option for email confirmation upon completion of the client request, then you need to click Send Confirmation Mail to notify the requester of the outcome.
Results
Domino 5 Certificate Authority
About this task
The Internet certificate request appears in the Client Certificate Requests view in the Domino Certificate Authority application. When the CA signs a certificate, the CA can automatically send email to the client. This email describes where to pick up the certificate and includes a pickup ID, which the client must use to identify the certificate during the pickup process. Domino automatically generates the pickup ID.
Procedure
Third-party CA
About this task
If a user obtains an Internet certificate from a third-party CA using the Notes client, the certificate is automatically added to their Person document.
If a user obtains an Internet certificate from a third-party CA through a browser, the certificate must then be added to their Person document.