Recertifying a certifier ID or a user ID

Use this procedure to recertify a certifier ID or a user ID with the same certifier ID that was used previously to certify the certifier ID or user ID. Certifier IDs are used to certify other certifiers, servers, and users. A certifier ID issues a certificate to another user, server or certifier that is on the hierarchical level immediately subordinate to the certifier. For example, in the Organizational Unit Sales/NYC/RENOVATIONS, NYC is the certifier for Sales; RENOVATIONS is the certifier for NYC. The Organization certifier, in this case RENOVATIONS, can certify itself.

About this task

You can also recertify a user ID with a different certifier ID, that is, a certifier ID other than the one used to previously certify the user ID. Although recertifying a user ID with a different certifier is allowed, it is not recommended that you do so using this procedure. In this case, you are renaming the user, which is a very complex process involving changes to ACLs for various databases, changes to lists of group members, and other related entries. Recertifying a user ID with a different certifier does not invoke the Administration Process, so all changes need to be made manually. To recertify a user with a different certifier ID, we recommend using the Rename tool, and requesting a move to a new certifier.

When you recertify an ID you can:

  • Provide a new expiration date for certificates about to expire
  • Add a new alternate name to the certifier ID
  • Change the minimum password quality

You can recertify any of the following types of IDs:

  • Organizational unit
  • Server
  • User
  • Organization certifier (when it is used to certify itself)
Important: When you recertify a top-level certifier with an about-to-expire certificate, you need to do the following before the certificate reaches its expiration date:
  • Recertify and restart each server that has its certificate chain under that top-level organization in order to pull the recertified top-level certificate from the directory into its local server ID file.
  • Recertify each OU certifier under the top-level certifier so that the certificate chain in its ID file is updated with the newly recertified top-level certifier certificate from the directory.

Now, when users authenticate to their home servers, the new certifier certificate is automatically pulled into the local user ID files - hence, no further action is needed from users.

Procedure

  1. From the Domino® Administrator, click Configuration.
  2. From the tools pane, click Certification > Certify.
  3. In the Choose a Certifier dialog box, make the following selections:
    Table 1. Certifier selection options

    Field

    Action

    Server

    Do one of these:

    • If you are using the Domino® server-based CA, choose the server that is used to access the Domino® Directory to look up the list of certifiers.
    • If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors. This is also the server on which CERTLOG.NSF is updated.

    Supply certifier ID and password

    Choose the certifier ID that issued the original certificate. For example, to recertify the certifier ID for /Sales/NYC/RENOVATIONS, choose the /NYC/RENOVATIONS certifier ID, which is NYC.ID.

    • Click Certifier ID to select an ID other than the one displayed.
    • Enter the password for the certifier ID and click OK.
    Note: Although not recommended, you can choose a different certifier ID to recertify a user ID, instead of using the original certifying ID.

    Use the CA process

    Choose this option to use the server-based certification authority (CA). Select a CA-configured certifier from the list and click OK.

  4. In the Choose ID to Certify box, select the certifier ID or user ID that you want to recertify. For example, to recertify Sales/NYC/RENOVATIONS, choose SALES.ID.
  5. Enter the password and click OK.
  6. In the Certify ID dialog box, complete the following fields as necessary:
    Table 2. Certify ID options

    Field

    Enter

    Current® Server

    The registration server for the current certifier ID. (nonmodifiable)

    Current® certifier

    The name hierarchy of the certifier that issued the certificate. (nonmodifiable)

    Expiration date

    Specify a certifier ID expiration date other than the default two years from the current date.

    Primary key

    Public half of the primary RSA key pair stored in the Notes® ID file. This RSA key pair is used for electronic signatures on documents and certificates, and on mail encryption when both the sender and the recipient have a North American Notes® license. This key pair is also used for network authentication. (nonmodifiable)

    International key

    The public half of the international RSA key pair. This key pair is used for mail encryption when either the sender or recipient are running with an International Notes® license. (nonmodifiable)

    Subject name list

    Certifier ID(s) you are working with.

    Add

    Click to add and certify an alternate name. Select the alternate language, country code (optional), and the organization identifier for the language.

    Rename

    Rename the alternate name selected in the Subject name list. This button is not available when recertifying user Ids. This button is enabled only when alternate languages have been assigned.

    Remove

    Removes the alternate name selected in the Subject name list.

    Password quality

    Move the slider to change the level of complexity and variety of characters entered for the password.

  7. Click Certify.
  8. Recreate any cross-certificates issued to or by the recertified certifier. See Adding cross-certificates to the Domino Directory or Contacts in Related information.
    To confirm that a new cross-certificate is issued:
    1. From Domino Administrator, click People & Groups > Certificates > Notes Cross Certificates.
    2. Select the certifier name that issued the cross certificate and then open the entry for the name that was cross certified.
    3. Click Examine Notes Certificates and verify that the "Activated" date reflects the date when the new cross-certificate was created.