Publishing third-party CA client certificates in a Person record

Notes® and Internet users who have a client certificate from a third-party certifier may want to have this certificate published in their Person record so that, if a user authenticates with a Domino® server over TLS with that certificate, Domino® will be able to determine the user's Notes® identity.

About this task

The server can the use the Notes® identity to check server database ACLs to determine the user's access to those databases. If the certificate with which a user authenticates isn't in a Person document, Domino® gives the user anonymous access, even though the user has authenticated using TLS authentication.

To publish a third-party client certificate in a user's Person record, use the Certificate Publications Request database. Clients submit certificate publication requests to the database, where they are approved by an administrator. After a request is approved, a publication request is created automatically in the Administration Process database. When the request is completed, the third-party client certificate is published in the requester's Person record.

In order to use this database, the server on which it is hosted must:

  • Be configured for TLS, accepting both client certificates and anonymous access
  • Have trusted root certificates installed in its server key ring for any certifier whose certificates you want to accept for publication

In order for users to make a publication request, they must be able to authenticate to the Certificate Publications database with the certificate they want to have published.

Note: The user does not have to have a Person document in the Domino® Directory to make a publication request. The administrator can create a Person document once the request has been entered, and it has been decided that the certificate's owner can be trusted.

To create the Certificate Publications Request database

Procedure

  1. From the Domino® Administrator, click File > Application > New.
  2. Create a new database using the Domino® Certificate Publications Request template (certpub.ntf).

To publish a third party CA client certificate in a Person record

Procedure

  1. The client opens the Certificate Publications Request database using a browser, completes the Certificate Registration Request form, and submits it.
  2. The administrator approves or denies the publication requests in the Waiting for Approval view.
  3. If the request is approved, it is submitted to the Administration Process and the client certificate is published in the requester's Person record.