Jérôme Deniau commented on Feb 8, 2008

ID Management

Implementing CA process should be really considered as an important step to deploy in all companies:

1. if you want to use Active Directory, you can easily allow AD Administrators to registrer Notes Users directly from the MMC:

a. Install Notes Client onto the AD MMC admin machine

select the option to sync with Windows

b. After installation register the notes dll

regsrv32 nadsync.dll

c. Configure the AD mmc for correct Domino settings

You should prepare this:

- Configure CA BEFORE

- Plan explicit policies according to your AD environment.

2. If you have many many admins or people in charge of creating accounts:

CA process allows you not to give them the famous cert.id (Organisation or OU) with the password!

You just have to correctly define Certificates Authority and Revoke Atuhority. Normally people in charge of creating accounts should only have the RA level, while you the full admin should have CA level.

3. If you cannot always use Administrator (out of office or somewhere else in you company), you can use webadmin.nsf with your browser and if you do have set CA Process you will be able to register your users without using Administrator.

That is only the beginning, CA process can also be used for Internet certificates.

For the current Cert.id migration the steps are really straightforward:

1. With Administrator use the tool Migrate Certifier, this will copy all information from the cert.id you select into a notes Database into the ICL folder.

On Domino Cluster: you cannot cluster the database (note recommanded/not supported) if encrypted with the server.id. if you do use an id file to protect the ICL you would be able to but, the file will need to be unlocked.

during the migration you can specify the CA and RA users (you cannot use group because Domino needs public keys to encrypt the data and verify the access).

Then you just have to define the certificate duration.

Validate. Adminp will do the job.

2. Starting it:

load ca

Modify notes.ini to add ca into servertasks=......,ca

3. Verify you succeeded

execute: tell ca status

CA process management:

To add users to ra process or ca process: administrator -> Configuration tab-> Certification view -> Modify Certifier tool

or

directly in names.nsf edit the certifier document (you cannot modify the duration then)

This is just a fast draft a more detailled document should be done.

Tosakan Chansuk commented on Jan 27, 2008

ID Management

You can simply this by implementing Domino CA. This help increasing some security to remove concerns about the certifiers as the certifiers are no longer needed for registration.

I would recommend to implement it as well as recovery password. As, it helps a lot to backing up IDs automatically and safely.