Setting up an Internet certificate authority

A critical area in security planning is determining whether and how to set up a certificate authority to issue Internet certificates. A certificate authority (CA), or certifier, is a trusted administration tool that issues and maintains digital certificates. Certificates verify the identity of an individual, a server, or an organization, and allow them to use TLS to communicate and to use S/MIME to exchange mail. Certificates are stamped with the certifier's digital signature, which assures the recipients of the certificate that the bearer of the certificate is the entity named in the certificate.

Certifiers can also issue trusted root certificates, which allow clients and servers with certificates created by different CAs to communicate with one another.

Note: It's important to distinguish between Notes® certifiers and Internet certifiers. When you install and set up the first Domino® server in a domain, a Notes® certifier is automatically set up to issue Notes® certificates to Notes® clients. These certificates are essential for Notes® clients to authenticate with a Domino® server and for Domino® servers to authenticate one another. Hence Notes® certifiers are important even in an environment with all Web clients. An Internet certifier, such as those discussed here, issues Internet (X.509) certificates, which are required for secure communication over the Internet. You set up Internet certifiers on an as-needed basis.

Choosing the correct Internet certifier for your organization

You have several options for setting up an Internet certifier for your organization (for the rest of this topic, all references to certifier mean 'Internet' certifier). You can use a third-party commercial certifier, such as VeriSign, or you can use one of the two types of Domino® Internet certifiers. There are advantages and disadvantages involved with each type of certifier; the choice you make should be determined by business requirements of your organization, as well as the time and resources available for managing the certifier.

Internet certifiers: Domino® compared to third-party

Table 1. Internet certifiers

Internet certifier type

Benefits

Domino® certifier

  • Avoid the expenses that a third-party certifier charges to issue and renew client and server certificates.
  • Many administrators are already familiar with Domino®, they will not require additional training that would be needed to use a third-party certifier.
  • Easier and quicker to set up and deploy new certificates as needed.

Third-party certifier (VeriSign, RSA, etc.)

  • Can simplify client configuration. If you get certificates from a certifier that is pre-configured as trusted by the browsers you use, it saves a step in client configuration.
  • Similarly, if the certifier is pre-configured as trusted in the mail clients of the external businesses with which you are exchanging S/MIME mail, it will save them a configuration step.

Domino® Internet certifiers: server-based certification authority compared to Domino® 5 certificate authority

You can choose to set up a Domino® certification authority which uses the server-based CA process, or a Domino® 5 certificate authority which uses a CA key ring.

Table 2. Domino® Internet certifiers

Domino® Internet certifier type

Benefits

Server-based certification authority

  • Administrators can manage both Notes® and Internet certifiers through the CA process.
  • Issues Internet certificates that are compliant with security industry standards (such as X.509v3 and PKIX).
  • Does not require administrator access to the certifier ID and ID password in order to register users and servers. This allows administrators to delegate these tasks without potentially compromising the certifier.
  • Supports the PKIX registration authority (RA) role, which allows administrators to delegate the certificate approval/denial process.
  • Issues certificate revocation lists (CRLs), which contain information about revoked or expired Internet certificates.

Domino® 5 certificate authority

  • Provides a simple means by which to set up an Internet certifier for testing or demonstration purposes.

Using both types of Domino® Internet CAs in a domain

It is possible to have both types of certifiers -- CA process and CA key ring -- in a domain. However, you must be careful not to have one certifier that uses both a key ring and the CA process to issue Internet certificates. A CA process-enabled certifier tracks the certificates that it issues in an Issued Certificate List, a database accessible to all servers in a domain. On the other hand, a key-ring-style certifier creates logs on whatever workstation on which it is used, so there is no centralized list of issued certificates (just multiple partial lists). Therefore, any certificates issued using the CA process won't be recognized by a CA key ring, just as any certificates that were created using a CA key ring file won't be recognized by the CA process.

This is a problem for Internet certifiers especially, because it is possible to revoke Internet certificates in server-based certification authorities. To revoke an Internet certificate, however, you must select it in the ICL. If the certificate was initially issued using a key ring, it won't appear in the ICL, so it cannot be revoked.

Therefore, it is strongly advised that you choose one way to operate -- CA process or CA key ring -- for each certifier.