Migrating a certifier to the CA process

To migrate an existing certifier to the CA process, you set up an Issued Certificate List (ICL) database and configure its certificate duration. In addition, for Internet certifiers, you configure CRL and key usage information for the certificate.

Procedure

  1. From the Domino® Administrator, click the Configuration tab.
  2. On the Tools pane, choose Certification > Migrate Certifier.
  3. In the Migrate Certifier dialog box, click Select.
  4. In the Chose id/keyring file dialog box, select the cert.id of the certifier you want to migrate:
    • Choose the certifier ID (CERT.ID) and click Select to migrate a Notes certifier.
    • Choose the certifier key ring file and click Select to migrate an Internet certifier.
  5. The certifier ID's path and filename now appear in the Migrate Certifier dialog box. Enter the password for the certifier ID or key ring file and click OK.

What to do next

Complete one of the next tasks, depending on whether you are migrating a Notes® certifier or an Internet certifier.

To migrate a Notes® certifier

Procedure

  1. From the Domino® Administrator, click the Configuration tab.
  2. On the Basics tab, complete these fields:
    Table 1. Basics tab fields

    Field

    Action

    Select the server where the certifier will run

    Select the server on which the migrated certifier will be linked to the CA process. The ICL database for this certifier will also be created on this server. Make sure that the client location document points to this server.

    Name of ICL database to be created

    ICLs are created automatically when you create a certifier, and named by default. You can modify the default name (for example: icl\icl_Renovations.nsf for the Renovations certifier).

    Note: Although you can change the location of the ICL, it is recommended that you use the default directory and path.
  3. For Encrypt Certifier ID with, choose one:
    Table 2. Options for encrypting Certifier ID

    Option

    Password required

    Action required

    Encrypt ID with Server ID

    None

    If you choose to protect the certifier ID with an encrypted key that can only be decrypted by the CA process, you need to set the following notes.ini in both the Domino server and the Domino Administrator client:
    • ENABLE_SECUREPASSWORD_ICL=1

    Require password to activate

    Enter a new password for this certifier

    If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command:

    tell ca activate <password>

    Encrypt ID with Lock ID

    Registered user ID and password

    If you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command:

    tell ca unlock idfilepassword
    If you choose to protect the certifier ID with an encrypted key that can only be decrypted by the CA process, you need to set the following notes.ini file in both the Domino server and the Domino Administrator client:
    • ENABLE_SECUREPASSWORD_ICL=1
    Note: Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously.

    Using ENABLE_SECUREPASSWORD_ICL=1 in conjunction with a new Server ID or Lock ID that you are migrating prevents any person with access to the ICL database and listed as a CAA from gaining access to the certifier ID from the ICL database. Use of the .ini file does not impact existing Notes certifiers that were already migrated to the CA process.

  4. Optional: In the Administrators list, enter names of additional CAAs and RAs. The name of the administrator migrating the CA is automatically included in the list as both a CAA and an RA.
  5. On the Certificates tab, complete these fields:
    Table 3. Certificates tab fields

    Field

    Action

    Certificate duration for EE certificate

    Enter the default, minimum, and maximum duration, in months, for an end-entity (EE) certificate. An end-entity certificate is granted to servers or end users.

    Certificate duration for CA certificate

    Enter the default, minimum, and maximum duration, in months, for an certificate authority (CA) certificate. A CA certificate is granted to certifiers.

  6. Click OK. A message appears saying that you have successfully migrated the certifier.
  7. Add the certifier to the CA process.

What to do next

Complete the task Adding a certifier to the CA process

To migrate an Internet certifier

Procedure

  1. Migrate the key ring file.
  2. Complete the Migrate Certifier dialog as described in the section on creating an Internet certifier in the topic Creating a certifier for a server-based CA in the related links.