Setting up an Internet certificate authority
A critical area in security planning is determining whether and how to set up a certificate authority to issue Internet certificates. A certificate authority (CA), or certifier, is a trusted administration tool that issues and maintains digital certificates. Certificates verify the identity of an individual, a server, or an organization, and allow them to use SSL to communicate and to use S/MIME to exchange mail. Certificates are stamped with the certifier's digital signature, which assures the recipients of the certificate that the bearer of the certificate is the entity named in the certificate.
Certifiers can also issue trusted root certificates, which allow clients and servers with certificates created by different CAs to communicate with one another.
Choosing the correct Internet certifier for your organization
You have several options for setting up an Internet certifier for your organization (for the rest of this topic, all references to certifier mean 'Internet' certifier). You can use a third-party commercial certifier, such as VeriSign, or you can use one of the two types of Domino Internet certifiers. There are advantages and disadvantages involved with each type of certifier; the choice you make should be determined by business requirements of your organization, as well as the time and resources available for managing the certifier.
Internet certifiers: Domino compared to third-party
Internet certifier type |
Benefits |
---|---|
Domino certifier |
|
Third-party certifier (VeriSign, RSA, etc.) |
|
Domino Internet certifiers: server-based certification authority compared to Domino 5 certificate authority
You can choose to set up a Domino certification authority which uses the server-based CA process, or a Domino 5 certificate authority which uses a CA key ring.
Domino Internet certifier type |
Benefits |
---|---|
Server-based certification authority |
|
Domino 5 certificate authority |
|
Using both types of Domino Internet CAs in a domain
It is possible to have both types of certifiers -- CA process and CA key ring -- in a domain. However, you must be careful not to have one certifier that uses both a key ring and the CA process to issue Internet certificates. A CA process-enabled certifier tracks the certificates that it issues in an Issued Certificate List, a database accessible to all servers in a domain. On the other hand, a key-ring-style certifier creates logs on whatever workstation on which it is used, so there is no centralized list of issued certificates (just multiple partial lists). Therefore, any certificates issued using the CA process won't be recognized by a CA key ring, just as any certificates that were created using a CA key ring file won't be recognized by the CA process.
This is a problem for Internet certifiers especially, because it is possible to revoke Internet certificates in server-based certification authorities. To revoke an Internet certificate, however, you must select it in the ICL. If the certificate was initially issued using a key ring, it won't appear in the ICL, so it cannot be revoked.
Therefore, it is strongly advised that you choose one way to operate -- CA process or CA key ring -- for each certifier.