Recertifying a certifier ID or a user ID
Use this procedure to recertify a certifier ID or a user ID with the same certifier ID that was used previously to certify the certifier ID or user ID. Certifier IDs are used to certify other certifiers, servers, and users. A certifier ID issues a certificate to another user, server or certifier that is on the hierarchical level immediately subordinate to the certifier. For example, in the Organizational Unit Sales/NYC/RENOVATIONS, NYC is the certifier for Sales; RENOVATIONS is the certifier for NYC. The Organization certifier, in this case RENOVATIONS, can certify itself.
About this task
You can also recertify a user ID with a different certifier ID, that is, a certifier ID other than the one used to previously certify the user ID. Although recertifying a user ID with a different certifier is allowed, it is not recommended that you do so using this procedure. In this case, you are renaming the user, which is a very complex process involving changes to ACLs for various databases, changes to lists of group members, and other related entries. Recertifying a user ID with a different certifier does not invoke the Administration Process, so all changes need to be made manually. To recertify a user with a different certifier ID, we recommend using the Rename tool, and requesting a move to a new certifier.
When you recertify an ID you can:
- Provide a new expiration date for certificates about to expire
- Add a new alternate name to the certifier ID
- Change the minimum password quality
You can recertify any of the following types of IDs:
- Organizational unit
- Server
- User
- Organization certifier (when it is used to certify itself)
- Recertify and restart each server that has its certificate chain under that top-level organization in order to pull the recertified top-level certificate from the directory into its local server ID file.
- Recertify each OU certifier under the top-level certifier so that the certificate chain in its ID file is updated with the newly recertified top-level certifier certificate from the directory.
Now, when users authenticate to their home servers, the new certifier certificate is automatically pulled into the local user ID files - hence, no further action is needed from users.
Procedure
- From the Domino® Administrator, click Configuration.
- From the tools pane, click .
- In the Choose a Certifier dialog
box, make the following selections:
Table 1. Certifier selection options Field
Action
Server
Do one of these:
- If you are using the Domino® server-based CA, choose the server that is used to access the Domino® Directory to look up the list of certifiers.
- If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors. This is also the server on which CERTLOG.NSF is updated.
Supply certifier ID and password
Choose the certifier ID that issued the original certificate. For example, to recertify the certifier ID for /Sales/NYC/RENOVATIONS, choose the /NYC/RENOVATIONS certifier ID, which is NYC.ID.
- Click Certifier ID to select an ID other than the one displayed.
- Enter the password for the certifier ID and click OK.
Note: Although not recommended, you can choose a different certifier ID to recertify a user ID, instead of using the original certifying ID.Use the CA process
Choose this option to use the server-based certification authority (CA). Select a CA-configured certifier from the list and click OK.
- In the Choose ID to Certify box, select the certifier ID or user ID that you want to recertify. For example, to recertify Sales/NYC/RENOVATIONS, choose SALES.ID.
- Enter the password and click OK.
- In the Certify ID dialog box, complete the following fields
as necessary:
Table 2. Certify ID options Field
Enter
Current® Server
The registration server for the current certifier ID. (nonmodifiable)
Current® certifier
The name hierarchy of the certifier that issued the certificate. (nonmodifiable)
Expiration date
Specify a certifier ID expiration date other than the default two years from the current date.
Primary key
Public half of the primary RSA key pair stored in the Notes® ID file. This RSA key pair is used for electronic signatures on documents and certificates, and on mail encryption when both the sender and the recipient have a North American Notes® license. This key pair is also used for network authentication. (nonmodifiable)
International key
The public half of the international RSA key pair. This key pair is used for mail encryption when either the sender or recipient are running with an International Notes® license. (nonmodifiable)
Subject name list
Certifier ID(s) you are working with.
Add
Click to add and certify an alternate name. Select the alternate language, country code (optional), and the organization identifier for the language.
Rename
Rename the alternate name selected in the Subject name list. This button is not available when recertifying user Ids. This button is enabled only when alternate languages have been assigned.
Remove
Removes the alternate name selected in the Subject name list.
Password quality
Move the slider to change the level of complexity and variety of characters entered for the password.
- Click Certify.
-
Recreate any cross-certificates issued to or by the recertified certifier. See
Adding cross-certificates to the Domino Directory or Contacts in Related
information.
To confirm that a new cross-certificate is issued:
- From Domino Administrator, click .
- Select the certifier name that issued the cross certificate and then open the entry for the name that was cross certified.
- Click Examine Notes Certificates and verify that the "Activated" date reflects the date when the new cross-certificate was created.