Migrating a certifier to the CA process
To migrate an existing certifier to the CA process, you set up an Issued Certificate List (ICL) database and configure its certificate duration. In addition, for Internet certifiers, you configure CRL and key usage information for the certificate.
Procedure
- From the Domino® Administrator, click the Configuration tab.
- On the Tools pane, choose .
- In the Migrate Certifier dialog box, click Select.
- In the Chose id/keyring file dialog
box, select the cert.id of the certifier you want to migrate:
- Choose the certifier ID (CERT.ID) and click Select to migrate a Notes certifier.
- Choose the certifier key ring file and click Select to migrate an Internet certifier.
- The certifier ID's path and filename now appear in the Migrate Certifier dialog box. Enter the password for the certifier ID or key ring file and click OK.
What to do next
To migrate a Notes® certifier
Procedure
- From the Domino® Administrator, click the Configuration tab.
- On the Basics tab, complete these
fields:
Table 1. Basics tab fields Field
Action
Select the server where the certifier will run
Select the server on which the migrated certifier will be linked to the CA process. The ICL database for this certifier will also be created on this server. Make sure that the client location document points to this server.
Name of ICL database to be created
ICLs are created automatically when you create a certifier, and named by default. You can modify the default name (for example: icl\icl_Renovations.nsf for the Renovations certifier).
Note: Although you can change the location of the ICL, it is recommended that you use the default directory and path. - For Encrypt Certifier ID with, choose
one:
Table 2. Options for encrypting Certifier ID Option
Password required
Action required
Encrypt ID with Server ID
None
If you choose to protect the certifier ID with an encrypted key that can only be decrypted by the CA process, you need to set the following notes.ini in both the Domino server and the Domino Administrator client:- ENABLE_SECUREPASSWORD_ICL=1
Require password to activate
Enter a new password for this certifier
If you choose to encrypt the certifier ID with the server ID and password, you need to activate the certifier. Use the tell command:
tell ca activate <password>
Encrypt ID with Lock ID
Registered user ID and password
If you choose to encrypt the certifier ID with a lock ID, the certifier is locked until you unlock it. Use the tell command:
tell ca unlock idfilepassword
If you choose to protect the certifier ID with an encrypted key that can only be decrypted by the CA process, you need to set the following notes.ini file in both the Domino server and the Domino Administrator client:- ENABLE_SECUREPASSWORD_ICL=1
Note: Encrypting a certifier ID with the password-protected Server ID protects only that certifier. If you use a lock ID, you have the option of using it with multiple certifiers. You then need to lock and unlock those certifiers simultaneously.Using ENABLE_SECUREPASSWORD_ICL=1 in conjunction with a new Server ID or Lock ID that you are migrating prevents any person with access to the ICL database and listed as a CAA from gaining access to the certifier ID from the ICL database. Use of the .ini file does not impact existing Notes certifiers that were already migrated to the CA process.
- Optional: In the Administrators list, enter names of additional CAAs and RAs. The name of the administrator migrating the CA is automatically included in the list as both a CAA and an RA.
- On the Certificates tab, complete
these fields:
Table 3. Certificates tab fields Field
Action
Certificate duration for EE certificate
Enter the default, minimum, and maximum duration, in months, for an end-entity (EE) certificate. An end-entity certificate is granted to servers or end users.
Certificate duration for CA certificate
Enter the default, minimum, and maximum duration, in months, for an certificate authority (CA) certificate. A CA certificate is granted to certifiers.
- Click OK. A message appears saying that you have successfully migrated the certifier.
- Add the certifier to the CA process.
What to do next
To migrate an Internet certifier
Procedure
- Migrate the key ring file.
- Complete the Migrate Certifier dialog as described in the section on creating an Internet certifier in the topic Creating a certifier for a server-based CA in the related links.