Domino server-based certification authority
You can set up a Domino certifier that uses a server task, the CA process, to manage and process certificate requests. The CA process runs as a process on Domino servers that are used to issue certificates. When you set up a Notes or Internet certifier, you link it to the CA process on the server in order to take advantage of CA process activities. Only one instance of the CA process can run on a server; however, the process can be linked to multiple certifiers.

You can set up both Notes and Internet certifiers to use the CA process.

Consider using the CA process because it:

To manage the CA process from the Domino console, you use a set of server Tell commands.

Issued Certificate List (ICL)

Each certifier has an Issued Certificate List (ICL) that is created when the certifier is created or migrated to the CA process. The ICL is a database that stores a copy of each certificate that it has issued, certificate revocation lists (for Internet certifiers), and CA configuration documents. Configuration documents are generated when you create the certifier and sign it with the certifier's public key. After you create these documents, you cannot edit them.

CA configuration documents include:

Another CA configuration document, the Certifier document, is created in the Domino Directory when you set up the a certifier. This document can be modified.

For more information, see the topic Modifying a certifier.

Certificate Revocation List (CRL)

A CRL is a time-stamped list identifying revoked Internet certificates -- for example, certificates belonging to terminated employees. The CA process issues and maintains CRLs for each Internet certifier. A CRL is associated with a certifier, is signed by that certifier, and resides in the certifier's ICL database. A copy of the CRL is also stored in the Domino Directory in the CA's certifier document, where it is used to assert certificate validity by entities that require certificate authentication. The CRL in the Domino Directory is retrieved by users using LDAP through a specific server that is named as part of the CA configuration. This information is stored in the CRL distribution point, an X.509 extension of the issued certificate.

You configure the CRL when you create a new Internet certifier. You can specify the length of time for which a CRL is valid and the interval between publication of new CRLs. After CRLs are configured, the certifier issues them on a regular basis and they operate unattended.

Using CRLs, you can manage the certificates issued in your organization. You can easily revoke a certificate if the subject of the certificate leaves the organization or if the key has been compromised. HTTP servers and Web browsers check the CRLs to determine whether a given certificate has been revoked, and is therefore no longer trusted by the certifier. When you use Internet Site documents to configure Internet protocols on the Domino, you can also enable CRL-checking for each protocol.

There are two kinds of CRLs: scheduled and immediate. For scheduled CRLs, you configure a duration interval -- the time period for which the CRL is valid -- and the interval at which new CRLs are issued. Each certifier issues a CRL at the specified time, even if no certificates have been revoked since the last CRL was issued. This means that if an administrator revokes a certificate, it appears in the next scheduled CRL issued by the certifier. The CRL duration period should be greater than the time period between each CRL issuance. This ensures that the CRL remains valid. Otherwise, the CRL could expire before a new one is issued.

However, in the event of a critical security break -- for example, if the administrator needs to revoke a particularly powerful certificate or the certifier certificate is compromised -- you can manually issue an immediate CRL (that is, an unscheduled CRL ) to enforce the emergency revocation. This type of revocation does not affect either the timing or the content of the next scheduled CRL. You use a Tell command to issue an immediate CRL.

For more information on revoking a certificate, see the topic Revoking a certificate.

For more information on enabling CRL-checking for Internet Site documents, see the topic Setting up security for Internet Site documents.

For more information on configuring a scheduled CRL, see the topic Creating a certifier for a server-based CA.

For more information on issuing a nonscheduled CRL, see the topic Certificate authority process tell commands.

See also