Lotusphere 2011 SHOW104

3,887 views
3,671 views

Published on

Configuring Domino SSL Certificates and S/MIME Secure Email Messaging

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,887
On SlideShare
0
From Embeds
0
Number of Embeds
71
Actions
Shares
0
Downloads
159
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Lotusphere 2011 SHOW104

  1. 1. <ul>SHOW104 Crispy Certificates with Spicy SSL Salsa </ul><ul>Tom Truitt | Sr IT Specialist | WorkFlow Studios </ul><ul>© 2011 IBM Corporation </ul>
  2. 2. <ul>Legal </ul><ul>This slide presentation may contain the following copyrighted, trademarked, and/or restricted terms: </ul><ul><li>IBM® Lotus® Domino®, IBM® Lotus® Notes®, IBM Lotus Symphony®, LotusScript®
  3. 3. Microsoft® Windows®, Internet Explorer®, Microsoft Office® </li></ul><ul><ul><ul><li>Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. </li></ul></ul></ul><ul><li>Symantec Corporation®, VeriSign, Inc.®, Thawte, Inc.®, GeoTrust®, GoDaddy.com, Inc.® </li></ul><ul>© 2011 IBM Corporation </ul><ul></ul>
  4. 4. <ul>Legal Disclaimer </ul><ul>© IBM Corporation 2011. All Rights Reserved. The information contained in this publication is provided for informational purposes only. While efforts were made to verify the completeness and accuracy of the information contained in this publication, it is provided AS IS without warranty of any kind, express or implied. In addition, this information is based on IBM’s current product plans and strategy, which are subject to change by IBM without notice. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, this publication or any other materials. Nothing contained in this publication is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in this presentation to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in this presentation may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. Nothing contained in these materials is intended to, nor shall have the effect of, stating or implying that any activities undertaken by you will result in any specific sales, revenue growth or other results. IBM, the IBM logo, Lotus, Lotus Notes, Notes, Domino, Quickr, and Lotusphere are trademarks of International Business Machines Corporation in the United States, other countries, or both. Microsoft and Windows are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product, or service names may be trademarks or service marks of others. All references to Spicy SSL refer to a fictitious company and are used for illustration purposes only. </ul><ul>© 2011 IBM Corporation </ul><ul></ul>
  5. 5. <ul>Session Goals </ul><ul><li>Learn what SSL and X.509 certificates are, and why you use them.
  6. 6. Learn what a Wildcard certificate is and how it potentially saves your organization money and maintenance hassle.
  7. 7. Learn the difference between self-certifying and using a 3 rd Party certificate authority and why you'd want to pay for the 3 rd Party.
  8. 8. Learn how to send and receive encrypted email for secure communications.
  9. 9. Learn the step-by-step process of setting up all of these certificate types in your Domino environment. </li></ul><ul>© 2011 IBM Corporation </ul><ul></ul>
  10. 10. <ul>Assumptions </ul><ul><li>You have installed and have working knowledge of the Lotus Notes Administration Client.
  11. 11. You have “Create Database” privileges in your Domino environment.
  12. 12. You have at least Editor access to the Domino Directory with NetCreator and UserCreator roles.
  13. 13. Your Notes Client “Location Document” must be set for server based mail, not local, otherwise you will receive errors when creating or modifying certificates. </li></ul><ul>© 2011 IBM Corporation </ul><ul></ul>
  14. 14. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions
  15. 15. Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host
  16. 16. Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier to the Domino CA
  17. 17. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  18. 18. Q & A
  19. 19. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  20. 20. <ul>It's a matter of Trust & Security </ul><ul><li>Who do you trust? </li></ul><ul><ul><li>How do you verify that you are connected to a server that is actually at a particular business or site?
  21. 21. Certificates validate identity. Like a company badge to get into your office or a driver's license or passport to get through security at the airport. </li></ul></ul><ul><li>Who would eavesdrop on the Internet “Party Line”? </li></ul><ul><ul><li>Standard Internet communications, i.e. HTTP, SMTP are simple text transmission protocols.
  22. 22. If someone intercepts traffic, there is nothing to prevent reading all the content of that communication. </li></ul></ul><ul><li>With encryption, one end of the communication encrypts the traffic, and the other end decrypts it.
  23. 23. Certificates provide the keys in the encryption process. </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  24. 24. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions
  25. 25. Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host
  26. 26. Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier to the Domino CA
  27. 27. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  28. 28. Q & A
  29. 29. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  30. 30. <ul>Definitions to keep in mind </ul><ul><li>Secure Sockets Layer (SSL) & Transport Layer Security (TLS)
  31. 31. Public Key Infrastructure (PKI)
  32. 32. Certificate Authority (CA)
  33. 33. Certificate Signing Request (CSR)
  34. 34. X.509 Digital Certificate or Public Key Certificate (PKC) </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  35. 35. <ul>Secure Sockets Layer (SSL) & Transport Layer Security (TLS) </ul><ul><li>SSL & TLS are cryptographic* protocols that provide encrypted communications securely over the Internet.
  36. 36. SSL, originally developed by Netscape, is widely used to do two things: </li></ul><ul><ul><li>Validate the identity of a Web site
  37. 37. Encrypt the connection for sending personal data over the internet </li></ul></ul><ul><li>TLS security protocol defined by the Internet Engineering Task Force (IETF) is based on SSL 3.0. TLS uses digital certificates to authenticate the user as well as authenticate the network. </li></ul><ul><ul><li>The TLS client uses the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange. </li></ul></ul><ul><li>Look for the Lock icon in you browser. If the lock is closed you are on a secure SSL or TLS connection. </li></ul><ul>* Cryptography is the process of converting data into a secret code for transmission. In other words “Plain Text” is converted into a secret code via an encryption algorithm. </ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  38. 38. <ul>Typical SSL Handshake Negotation Process </ul><ul><li>The two sides acknowledge each other and the browser sends a list of algorithms it supports and a random number to the web server.
  39. 39. The server returns “Use this algorithm” it's random number and digital certificate.
  40. 40. The browser verifies that it trust's the server's certificate and extracts the server's public key. It then uses that public key to encrypt a pre-master key and sends it to the server.
  41. 41. Both client and server use the pre-master key and exchanged random numbers to generate the secret keys for the rest of the session and exchange checksums. </li></ul><ul>© 2011 IBM Corporation </ul>
  42. 42. <ul>Public Key Infrastructure (PKI) </ul><ul><li>A framework for creating a secure method of exchanging electronic information based on public key cryptography.
  43. 43. The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.
  44. 44. PKIs are based on the public/private key pair of the CA's Root Key.
  45. 45. The subject's public key, known to everyone, is used to encrypt data.
  46. 46. The private or secret key is used to decrypt received data.
  47. 47. If the private key of the CA's Root Key is ever compromised, all the digital certificates created by that CA are vulnerable.
  48. 48. The Key Size defines how hard the private key is to decode. The higher the key size the harder it is to break the code. </li></ul><ul><ul><li>Common RSA Key Sizes are: </li></ul></ul><ul><ul><ul><li>512, 1024 and 2048 </li></ul></ul></ul><ul>© 2011 IBM Corporation </ul>
  49. 49. <ul>Certificate Authorities (CA)s </ul><ul><li>As stated above, The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.
  50. 50. There are two types of CAs: </li></ul><ul><ul><li>Trusted 3 rd Party or Commercial CAs which charge to issue certificates. Their Trusted Root certificates are included in most internet browsers. </li></ul></ul><ul><ul><ul><li>Think of a passport issued by your country's passport authority. </li></ul></ul></ul><ul><ul><li>Self Signed or Closed System where your company is it's own CA. You control the Root Certificate for the organization. </li></ul></ul><ul><ul><ul><li>Think of your company issued ID badge that lets you into your office building. </li></ul></ul></ul><ul>© 2011 IBM Corporation </ul>
  51. 51. <ul>Trusted 3 rd Party Certificate Authorities (CA)s </ul><ul><li>Over 300 Trusted CAs are included in Internet Explorer on Windows XP.
  52. 52. Most browsers already trust these authorities, so end user configuration is not required.
  53. 53. If the certifier is pre-configured as trusted in the email system, external mail client configuration is reduced.
  54. 54. Overall, the cost of supporting a 3 rd Party System can be less than that of a Closed System.
  55. 55. Examples of 3 rd Party CAs: </li></ul><ul><ul><li>VeriSign, recently acquired by Symantec, has long been highly trusted by consumers. VeriSign also owns GeoTrust and Thawte; combined they make up the largest CA group*.
  56. 56. Go Daddy has grown rapidly over the last few years due to their aggressive pricing model and holds the number two position per netcraft.com
  57. 57. Many other Trusted 3 rd Party CAs are listed at the site below </li></ul></ul><ul>* https://ssl.netcraft.com/ssl-sample-report//CMatch/certs </ul><ul>© 2011 IBM Corporation </ul>
  58. 58. <ul>Self Signed or Closed System (CA)s </ul><ul><li>You or your organization control all certificates including the Root Certificate.
  59. 59. You control who you issue certificates to. </li></ul><ul><ul><li>Think of Photos on ID badges. </li></ul></ul><ul><li>You manage the certificate structure, naming, validation and expiration.
  60. 60. The major problem with a Closed CA, is it requires equipment and personnel to manage the process and configure end user workstations. </li></ul><ul><ul><li>Think of your “Security Department” that take photos and issue Corporate Security badges. </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  61. 61. <ul>Certificate Signing Request (CSR) </ul><ul><li>A CSR is an application submitted to a CA for a computer or individual to obtain a digital certificate.
  62. 62. The request includes information identifying the applicant and the public key that is generated from a public/private key pair. </li></ul><ul>© 2011 IBM Corporation </ul>
  63. 63. <ul>X.509 Digital Certificate </ul><ul><li>AKA – Digital ID or Public Key Certificate (PKC)
  64. 64. X.509 is an International Telecommunications Union Transmission (ITU-T) standard for public key infrastructure (PKI). It specifies standard formats for public key certificates, certificate validation and certificate revocation lists.
  65. 65. Digital Certificates are issued by a CA after the CA has verified that the public key belongs to a specific subject.
  66. 66. A Digital Certificate contains both CA and subject information including the subject's public key. The CA signs the certificate by creating a digest of all the fields in the certificate and then encrypts the digest with it's private key.
  67. 67. The encrypted digest is called a “digital signature”, and when placed into the X.509 certificate, the certificate is said to be signed.
  68. 68. It's the digital equivalent of your ID card, driver's license or passport. </li></ul><ul>© 2011 IBM Corporation </ul>
  69. 69. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host
  70. 70. Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier to the Domino CA
  71. 71. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  72. 72. Q & A
  73. 73. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  74. 74. <ul>Configuring your Domino server with a 3 rd Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA
  75. 75. Create a KeyRing file
  76. 76. Creating a Certificate Signing Request (CSR)
  77. 77. Retrieve SSL Certificate from Vendor
  78. 78. Trusted Root and Intermediate Certificates
  79. 79. Install Server SSL Certificate
  80. 80. Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  81. 81. <ul>Choosing your 3 rd Party CA & Certificate </ul><ul><li>There are literally hundreds of 3 rd Party CAs.
  82. 82. Things to consider when selecting you 3 rd Party CA are: </li></ul><ul><ul><li>What type of transactions will this server be handling? </li></ul></ul><ul><ul><ul><li>Online commerce sites should have the strongest level of encryption and assurance that you can afford.
  83. 83. In-house, training and utility servers might be able to use a less costly certificate. </li></ul></ul></ul><ul><ul><li>Issuance Speed
  84. 84. SSL Certificate Warranty
  85. 85. Website Security Seals
  86. 86. Customer Support </li></ul></ul><ul><li>It's really up to you to determine the best vendor for your needs. The SSL Certificate (assuming the same Key Strength) will technically work the same whether it is created by a Self Signed CA or a premium certificate from a well known CA. The difference is really perception and marketing. </li></ul><ul>© 2011 IBM Corporation </ul>
  87. 87. <ul>Configuring your Domino server with a 3 rd Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA </li></ul><ul><li>Create a KeyRing file
  88. 88. Creating a Certificate Signing Request (CSR)
  89. 89. Retrieve SSL Certificate from Vendor
  90. 90. Trusted Root and Intermediate Certificates
  91. 91. Install Server SSL Certificate
  92. 92. Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  93. 93. <ul>Creating a KeyRing.kyr file 1 </ul><ul><li>Create a New Folder off the root of your C: drive with a short folder name. My suggestion is C:SSL (You will be typing this path several times in the near future) </li></ul><ul>© 2011 IBM Corporation </ul>
  94. 94. <ul>Creating a KeyRing.kyr file 2 </ul><ul><li>From your Notes Client , </li></ul><ul><li>Select File
  95. 95. Open
  96. 96. Lotus Notes Application </li></ul>LS11 Windows 7.jpg LS11 Windows 7-1.jpg <ul>© 2011 IBM Corporation </ul><ul><li>Look in Your Server
  97. 97. Select “Server Certificate Admin” (certsrv.nsf)
  98. 98. Click “Open” Certificate Admin – 3. Click Open </li></ul>
  99. 99. <ul>Creating a KeyRing.kyr file 3 </ul><ul><li>When the application opens, select “1. Create Key Ring” </li></ul><ul>© 2011 IBM Corporation </ul>
  100. 100. <ul>Creating a KeyRing.kyr file 4 </ul><ul><li>Type the full path and file name – it must end with .kyr
  101. 101. Input and confirm the password.
  102. 102. Click on the “Key Size” drop down. </li></ul>LS11 Windows 7-2.jpg <ul>© 2011 IBM Corporation </ul>
  103. 103. <ul>Key Size 5 </ul><ul><li>The larger the key size, the greater the encryption strength and therefore the less likely a brute force attack will be able to decipher the key.
  104. 104. Given the advances in computing power, some believe that it will be possible to break a 1024-bit key in the near future.
  105. 105. Some 3 rd Party CAs will not accept a CSR with less than 2048 key size any longer, and others are currently in the process of phasing out their lower sized certificates.
  106. 106. Keep in mind this could cause issues when you try to renew existing certificates of lower key strength, in which case you will be required to create a new Key Ring file and CSR for your servers.
  107. 107. The National Institute of Standards and Technology (NIST) of the US Government recommends certificates after 2010 should be of at least 2048 bit key length. </li></ul><ul><ul><li>http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf </li></ul></ul><ul><li>Beware - some older browsers can not support the new 2048 bit keys. </li></ul><ul>© 2011 IBM Corporation </ul>
  108. 108. <ul>Creating a KeyRing.kyr file 6 </ul><ul><li>Select 2048 as the Key Size </li></ul><ul>© 2011 IBM Corporation </ul>
  109. 109. <ul>Creating a KeyRing.kyr file 7 </ul><ul><li>Complete the required and optional fields. </li></ul><ul><li>“Common Name” (DNS Server Name)
  110. 110. Organization and Optional fields
  111. 111. NO ABBREVIATIONS in “State or Province” field,
  112. 112. 2 character country code
  113. 113. Click “Create Key Ring” </li></ul>LS11 Windows 7-4.jpg <ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  114. 114. <ul>Creating a KeyRing.kyr file 8 </ul><ul><li>The KeyRing file name can be anything you want but it must end with .kyr extension.
  115. 115. Write down the password of the KeyRing.kyr file, put it in a “sealed envelope” and store it in a safe place. You are going to need the password again when it comes time to renew the certificate.
  116. 116. If you are getting a single server certificate the Common Name is the URL name to which the server responds. A simple 1 character mistake will cause an invalid name prompt when the certificate is presented to the browser.
  117. 117. The Organization (and optional Organization Unit) fields must be completed as accurately as possible with the legal name of the company.
  118. 118. Use the City and State of the Organization’s address and NO ABBREVIATIONS in the State or Province name.
  119. 119. Enter the standard 2 Character Country code for your country.
  120. 120. This information will be verified by your CA, is included in the Digital Certificate and will be presented to every browser that contacts your server, so it's important to have it correct when you create your KeyRing.kyr file. </li></ul><ul>© 2011 IBM Corporation </ul>
  121. 121. <ul>Creating a KeyRing.kyr file 9 </ul><ul><li>The Key Ring Created prompt will display - Click OK </li></ul><ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  122. 122. <ul>Creating a KeyRing.kyr file - end </ul><ul><li>You need to create an account at your 3 rd Party vendor.
  123. 123. You need to purchase an SSL Certificate and know your vendor's procedures for submitting a CSR. </li></ul><ul>© 2011 IBM Corporation </ul>
  124. 124. <ul>Configuring your Domino server with a 3 rd Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA
  125. 125. Create a KeyRing file </li></ul><ul><li>Creating a Certificate Signing Request (CSR)
  126. 126. Retrieve SSL Certificate from Vendor
  127. 127. Trusted Root and Intermediate Certificates
  128. 128. Install Server SSL Certificate
  129. 129. Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  130. 130. <ul>Creating a Certificate Signing Request (CSR) 1 </ul><ul><li>Open the Server Certificate Admin notes database (The same one we used to create the KeyRing.kyr file) </li></ul><ul>© 2011 IBM Corporation </ul>
  131. 131. <ul>Creating a Certificate Signing Request (CSR) 2 </ul><ul><li>Click “2. Create Certificate Request” </li></ul><ul>© 2011 IBM Corporation </ul>
  132. 132. <ul>Creating a Certificate Signing Request (CSR) 3 </ul><ul><li>Type the path and name of the .kyr file
  133. 133. Select “Paste into form on CA's site”
  134. 134. Click “Create Certificate Request” </li></ul>LS11 Windows 7-5.jpg <ul>© 2011 IBM Corporation </ul>
  135. 135. <ul>Creating a Certificate Signing Request (CSR) 4 </ul><ul><li>1. You will be prompted for the KeyRing password - 2. click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  136. 136. <ul>Creating a Certificate Signing Request (CSR) 5 </ul><ul><li>The Certificate Request will look as depicted below. Copy from the first dash (-) </li></ul><ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  137. 137. <ul>Creating a Certificate Signing Request (CSR) 6 </ul><ul><li>To the end of the last dash (–)
  138. 138. Ctrl +C to copy into your paste buffer. </li></ul><ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  139. 139. <ul>Creating a Certificate Signing Request (CSR) 7 </ul><ul><li>Open Notepad and Paste the CSR into the notepad document, just in case you accidentally copy something else before you complete the 3 rd Party CSR. </li></ul><ul>© 2011 IBM Corporation </ul>
  140. 140. <ul>Creating a Certificate Signing Request (CSR) 8 </ul><ul><li>Click “OK” on the Certificate Request Created window. </li></ul><ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  141. 141. <ul>Creating a Certificate Signing Request (CSR) end </ul><ul><li>You are now ready to browse to your 3 rd Party CA and complete your CSR.
  142. 142. Follow the instructions for requesting a certificate for your 3 rd Party CA </li></ul><ul>© 2011 IBM Corporation </ul>
  143. 143. <ul>Configuring your Domino server with a 3 rd Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA
  144. 144. Create a KeyRing file
  145. 145. Creating a Certificate Signing Request (CSR) </li></ul><ul><li>Retrieve SSL Certificate from Vendor
  146. 146. Trusted Root and Intermediate Certificates
  147. 147. Install Server SSL Certificate
  148. 148. Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  149. 149. <ul>You will receive an email from your 3 rd Party CA when your SSL Certificate is complete </ul><ul><li>In most instances you will need to download your SSL Certificate from their site. </li></ul><ul>© 2011 IBM Corporation </ul><ul>[email_address] </ul>
  150. 150. <ul>Steps for configuring your Domino server with a Third-Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA
  151. 151. Create a KeyRing file
  152. 152. Creating a Certificate Signing Request (CSR)
  153. 153. Retrieve SSL Certificate from Vendor </li></ul><ul><li>Trusted Root and Intermediate Certificates
  154. 154. Install Server SSL Certificate
  155. 155. Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  156. 156. <ul>There must be a Trusted Root Certificate for your 3 rd Party CA in the server's KeyRing.kyr file </ul><ul><li>The CAs listed on the left are automatically included and therefore trusted in a newly created Domino KeyRing.kyr file.
  157. 157. If your CA is not included in the list, their Trusted Root Certificate will need to be imported.
  158. 158. Note: There is a VeriSign Intermediate CA included. It may or may not be the correct one for your certificate.
  159. 159. Many CAs will now require an Intermediate Certificate as well as their Trusted Root.
  160. 160. Check your 3 rd Party CA documentation for Intermediate Certificate requirements. </li></ul><ul>© 2011 IBM Corporation </ul>
  161. 161. <ul>Trusted Root & Intermediate Certificates 2 </ul><ul><li>Some CAs include their Trusted Root and Intermediate certificates in a bundle or .zip file along with your signed Digital Certificate.
  162. 162. If they are not, include follow the vendor's instructions and download them.
  163. 163. Place them in your C:SSL subdirectory. </li></ul><ul>© 2011 IBM Corporation </ul>
  164. 164. <ul>Trusted Root & Intermediate Certificates 3 </ul><ul><li>I normally double click to open the .crt files and leave them open on my desktop so I can get the name correct when I install them into the KeyRing.kyr file. </li></ul><ul>© 2011 IBM Corporation </ul>
  165. 165. <ul>Trusted Root & Intermediate Certificates 4 </ul><ul><li>Open the “Server Certificate Admin” database </li></ul><ul>© 2011 IBM Corporation </ul>
  166. 166. <ul>Trusted Root & Intermediate Certificates 5 </ul><ul><li>Select – “3. Install Trusted Root Certificates into Key Ring” </li></ul><ul>© 2011 IBM Corporation </ul>
  167. 167. <ul>Trusted Root & Intermediate Certificates 6 </ul><ul><li>Input the path and file name of your KeyRing.kyr file.
  168. 168. Type the Certificate Label that will appear when you choose “View & Edit Key Ring” (why I keep it open on the desktop).
  169. 169. Select File or Clipboard as Source. </li></ul><ul><ul><li>If File, input the path and file name to the retrieved signed certificate.
  170. 170. If Clipboard, paste into provided field. </li></ul></ul><ul><li>Base 64 encoding is the most common format unless your vendor specifies otherwise in their documentation.
  171. 171. Click “Merge Trusted Root Certificate into Key Ring”. </li></ul><ul>© 2011 IBM Corporation </ul>LS11 Windows 7-4-1.jpg
  172. 172. <ul>Trusted Root & Intermediate Certificates 7 </ul><ul><li>You will be prompted for the Key Ring password then click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  173. 173. <ul>Trusted Root & Intermediate Certificates 8 </ul><ul><li>Click “OK” on the Merge Trusted Root Certificate Confirmation. </li></ul><ul>© 2011 IBM Corporation </ul>
  174. 174. <ul>Trusted Root & Intermediate Certificates 9 </ul><ul><li>Click “OK” on the Certificate received into key ring and designated as trusted root prompt. </li></ul><ul>© 2011 IBM Corporation </ul>
  175. 175. <ul>Trusted Root & Intermediate Certificates end </ul><ul><li>Intermediate Certificates </li></ul><ul><ul><li>If your CA requires an Intermediate Certificate, follow the exact same steps as installing a Trusted Root Certificate.
  176. 176. Of course you would use a different Certificate Label and file name. </li></ul></ul><ul><li>If you get a prompt like the one on the left while installing your Signed “Server” Certificate, it indicates that you are missing an Intermediate Certificate. </li></ul>LS11 Windows 7-7.jpg <ul>© 2011 IBM Corporation </ul>
  177. 177. <ul>Configuring your Domino server with a 3 rd Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA
  178. 178. Create a KeyRing file
  179. 179. Creating a Certificate Signing Request (CSR)
  180. 180. Retrieve SSL Certificate from Vendor
  181. 181. Trusted Root and Intermediate Certificates </li></ul><ul><li>Install Server SSL Certificate
  182. 182. Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  183. 183. <ul>Install Server Certificate into Key Ring 1 </ul><ul><li>Open the “Server Certificate Admin” database and Click “4. Install Certificate into Key Ring” </li></ul><ul>© 2011 IBM Corporation </ul>
  184. 184. <ul>Install Server Certificate into Key Ring 2 </ul><ul><li>Input the path and file name of your KeyRing.kyr file.
  185. 185. Select File or Clipboard as Certificate Source as appropriate.
  186. 186. Depending on you choice. </li></ul><ul><ul><li>If File, input the path and file name to the retrieved signed certificate.
  187. 187. If Clipboard, paste into provided field. </li></ul></ul><ul><li>Click “Merge Certificate into Key Ring. </li></ul><ul>© 2011 IBM Corporation </ul>LS11 Windows 7.jpg
  188. 188. <ul>Install Server Certificate into Key Ring 3 </ul><ul><li>Input the Key Ring password and click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  189. 189. <ul>Install Server Certificate into Key Ring 4 </ul><ul><li>Click “OK” on the Merge Signed Certificate Confirmation prompt </li></ul><ul>© 2011 IBM Corporation </ul>
  190. 190. <ul>Install Server Certificate into Key Ring end </ul><ul><li>Click “OK” on the Certificate received into key ring prompt </li></ul><ul>© 2011 IBM Corporation </ul>
  191. 191. <ul>Configuring your Domino server with a 3 rd Party SSL Certificate </ul><ul><li>Choosing your 3 rd Party CA
  192. 192. Create a KeyRing file
  193. 193. Creating a Certificate Signing Request (CSR)
  194. 194. Retrieve SSL Certificate from Vendor
  195. 195. Trusted Root and Intermediate Certificates
  196. 196. Install Server SSL Certificate </li></ul><ul><li>Setup Domino Server for SSL </li></ul><ul>© 2011 IBM Corporation </ul>
  197. 197. <ul>Copy the KeyRing.kyr and KeyRing.sth file to your server’s DominoData directory 1 </ul><ul><li>When you create a KeyRing.kyr file a .sth file of the same name which contains the password for the associated .kyr file is also created.
  198. 198. Browse to the C:SSL subdirectory and copy BOTH the .kyr and .sth files. </li></ul><ul>© 2011 IBM Corporation </ul>
  199. 199. <ul>Copy the KeyRing.kyr and KeyRing.sth file to your server’s DominoData directory 1 </ul><ul><li>Paste the KeyRing.kyr and KeyRing.sth files into your server’s DominoData directory. </li></ul><ul>© 2011 IBM Corporation </ul>
  200. 200. <ul>Setup SSL on the Domino Server 1 </ul><ul><li>From Domino Administrator Client </li></ul><ul><li>Configuration tab
  201. 201. Server – Current Server Document
  202. 202. Edit Server
  203. 203. Note: Load Internet configuration from ServerInternet Sites documents = Disabled </li></ul><ul><li>This example assumes you are NOT using Internet Sites documents.
  204. 204. Using Internet Sites documents will be explained in the Wildcard SSL section. </li></ul><ul>© 2011 IBM Corporation </ul>
  205. 205. <ul>Setup SSL on the Domino Server 2 </ul><ul><li>Go to 1. Ports – 2. Internet Ports – 3. Input the name of your KeyRing.kyr file </li></ul><ul>© 2011 IBM Corporation </ul>
  206. 206. <ul>Setup SSL on the Domino Server 3 </ul><ul><li>Scroll to the bottom of the page </li></ul><ul><li>Port 80 (standard port) </li></ul><ul><li>TCP/IP port Status </li></ul><ul><ul><li>Redirect to SSL will automatically switch a user to SSL when they browse to the server without typing HTTPS:// at the beginning of the URL </li></ul></ul><ul><li>Enforce server access settings </li></ul><ul><ul><li>Select Yes to have the server honor Security Access settings on the security tab of the server document </li></ul></ul><ul><li>Enable SSL port status
  207. 207. Choose No for the Client certificate option (we haven’t issued any client certificates)
  208. 208. Save and Close </li></ul><ul>© 2011 IBM Corporation </ul>
  209. 209. <ul>Setup SSL on the Domino Server 4 Restart the HTTP Server Task </ul><ul><li>Domino Admin Client – Server Console
  210. 210. Issue the command </li></ul><ul><ul><li>restart task http </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  211. 211. <ul>Test new SSL Setup 1 </ul><ul><li>Open your internet browser
  212. 212. Enter the URL for your server
  213. 213. Example: </li></ul><ul>http :// hotchilies.spicyssl.com /names.nsf </ul><ul><li>You will be prompted for your name and password if you did not allow anonymous access. </li></ul><ul>© 2011 IBM Corporation </ul>
  214. 214. <ul>SSL Setup Complete </ul><ul><li>Note: Because we selected “Redirect to SSL” you will be automatically switched to SSL (https://)
  215. 215. The Browser does not display any error prompts.
  216. 216. The Lock Icon displays. </li></ul><ul>© 2011 IBM Corporation </ul>
  217. 217. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host </li></ul></ul></ul><ul><ul><ul><li>Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier to the Domino CA
  218. 218. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  219. 219. Q & A
  220. 220. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  221. 221. <ul>Wildcard SSL Certificate 1 </ul><ul><li>Let’s suppose we have set up DNS entries for hotchilies.spicyssl.com and for inotes.spicyssl.com both pointing to the same server.
  222. 222. When we browse to hotchilies.spicyssl.com everything is fine.
  223. 223. But when we browse to inotes.spicyssl.com
  224. 224. We get: “There is a problem with this website’s security certificate”.
  225. 225. This is because the certificate was issued to hotchilies not inotes. </li></ul>LS11 Windows 7-5.jpg LS11 Windows 7-6.jpg <ul>© 2011 IBM Corporation </ul>
  226. 226. <ul>Wildcard SSL Certificate 2 </ul><ul><li>What is a Wildcard SSL Certificate?
  227. 227. Secures multiple first-level sub-domains (Internet Sites or Servers) as long as they end with the same domain name. </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><ul><li>www.spicyssl.com
  228. 228. hotchilies.spicyssl.com
  229. 229. inotes.spicyssl.com
  230. 230. traveler.spicyssl.com
  231. 231. quickr.spicyssl.com </li></ul></ul></ul><ul><li>Most browsers won't work with a Wildcard SSL Certificates of more than one level. In other words a Wildcard Certificate for *.spicyssl.com will not work for inotes.mail.spicyssl.com or best.recipe.for.spicyssl.com. </li></ul><ul>© 2011 IBM Corporation </ul>
  232. 232. <ul>Wildcard SSL Certificate 3 </ul><ul><li>Advantages: </li></ul><ul><ul><li>Can result in big savings if you have more than 3 or 4 sites to secure.
  233. 233. Easier to manage especially when it comes time for renewals. </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>If one server is compromised then all the others using that certificate are vulnerable.
  234. 234. Some mobile device operating systems may not recognize the wildcard character (Windows Mobile 5 for example). </li></ul></ul><ul><li>3 rd Party CAs have offer different options: </li></ul><ul><ul><li>Some allow you to create as many new or sub wildcard certificates (with the same domain name) as needed, each with a unique private key, making them just as secure as a single server certificate.
  235. 235. Some 3 rd Party vendors limit the number of use instances of a Wildcard SSL certificate. </li></ul></ul><ul><li>Read the License agreements of your CA to be sure you comply with their requirements. </li></ul><ul>© 2011 IBM Corporation </ul>
  236. 236. <ul>Wildcard SSL Certificate 4 </ul><ul><li>The process of setting up a Domino Server to use a Wildcard SSL Certificate is the same as a single server certificate. </li></ul><ul><ul><ul><ul><ul><li>Choose your 3rd Party CA
  237. 237. Create a KeyRing file*
  238. 238. Creating a Certificate Signing Request (CSR)
  239. 239. Retrieve SSL Certificate from Vendor
  240. 240. Trusted Root and Intermediate Certificates
  241. 241. Install Server SSL Certificate
  242. 242. Setup Domino Server for SSL </li></ul></ul></ul></ul></ul><ul><li>*The difference is when you create the KeyRing.kyr file. </li></ul><ul><ul><li>Enter *.spicyssl.com or *.yourdomain.com as the “Common Name” in the Distinguished Name section. </li></ul></ul><ul><li>The Domain owner will likely receive an email requesting verification of Wildcard CSR before issuing the certificate. </li></ul><ul>© 2011 IBM Corporation </ul>
  243. 243. <ul>Creating a Wildcard KeyRing.kyr file 5 </ul><ul><li>Open the “Server Certificate Admin” database
  244. 244. Create a new KeyRing.kyr file
  245. 245. Give the file a different name </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><li>C:SSLWildSpicySSL.kyr </li></ul></ul><ul><li>Complete the Create Key Ring document as we did before with ONE exception, the Common Name Field </li></ul><ul><ul><li>Use *.spicyssl.com (or *.yourdomain.com) </li></ul></ul><ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  246. 246. <ul>Creating a Wildcard KeyRing.kyr file 6 </ul><ul><li>As long as you are sure you have entered a new Key Ring File Name,
  247. 247. Click on “OK” if you receive a WARNING prompt like the one to the left. </li></ul><ul><li>Click “OK” on the Key Ring Created prompt </li></ul><ul>© 2011 IBM Corporation </ul><ul>XYZ Company </ul>
  248. 248. <ul>Wildcard SSL Certificate 7 </ul><ul><li>Follow the remaining procedures as we did for setting up SSL on a Single Server </li></ul><ul><li>Creating a Certificate Signing Request (CSR)
  249. 249. Retrieve SSL Certificate from Vendor
  250. 250. Trusted Root and Intermediate Certificates
  251. 251. Install Server SSL Certificate
  252. 252. Setup Domino Server for SSL – but this time we’ll use “Internet Sites” documents </li></ul><ul>© 2011 IBM Corporation </ul>
  253. 253. <ul>Wildcard SSL Certificate 8 </ul><ul><li>Note the SubjectOrg and SubjectCommonName on the Signed Wildcard Certificate is *.spicyssl.com (Step 6 Install Server SSL Certificate above). </li></ul>LS11 Windows 7-8.jpg <ul>© 2011 IBM Corporation </ul>
  254. 254. <ul>Configure Internet Sites with SSL 9 </ul><ul>Enable Internet Sites Documents </ul><ul><li>Edit the Server Document
  255. 255. Basics tab
  256. 256. Enable “Load Internet configurations from ServerInternet Sites documents
  257. 257. Save and Close the server Document </li></ul><ul>© 2011 IBM Corporation </ul>LS11 Windows 7-9.jpg
  258. 258. <ul>Configure Internet Sites with SSL 10 </ul><ul>Add a Web Internet Site Document </ul><ul><li>Domino Admin Client
  259. 259. Configuration Tab
  260. 260. Web
  261. 261. Internet Sites
  262. 262. Add Internet Site
  263. 263. Web </li></ul>LS11 Windows 7-12.jpg <ul>© 2011 IBM Corporation </ul>
  264. 264. <ul>Configure Internet Sites with SSL 11 </ul><ul><li>Complete the Basic Tab </li></ul><ul><ul><li>Descriptive name for this site
  265. 265. Organization
  266. 266. Is this the Default Internet Site? </li></ul></ul>LS11 Windows 7-10.jpg <ul>© 2011 IBM Corporation </ul>
  267. 267. <ul>Configure Internet Sites with SSL 12 </ul><ul><li>Define this site’ Home URL on the Configuration Tab </li></ul>LS11 Windows 7-13.jpg <ul>© 2011 IBM Corporation </ul>
  268. 268. <ul>Configure Internet Sites with SSL 13 </ul><ul><li>Security Tab </li></ul><ul><ul><ul><li>Redirect TCP to SSL
  269. 269. Require Name & Password for SSL Authentication
  270. 270. Enter the name of your WildKeyRing.kyr in the SSL Options section </li></ul></ul></ul><ul><ul><li>Save and Close the document </li></ul></ul>LS11 Windows 7-14.jpg <ul>© 2011 IBM Corporation </ul>
  271. 271. <ul>Wildcard SSL Certificate 14 </ul><ul><li>Copy the WildKeyRing.kyr and WildKeyRing.sth files to the Domino server’s data directory.
  272. 272. Open the Admin Client Server Console and enter the command “Restart task HTTP”. </li></ul><ul>© 2011 IBM Corporation </ul>
  273. 273. <ul>Wildcard SSL Certificate 15 </ul><ul><li>Now when we browse to inotes.spicyssl.com/redirect.nsf: </li></ul><ul><ul><li>We no longer get a SSL Certificate Error.
  274. 274. We are prompted for a user name and password. </li></ul></ul>LS11 Windows 7-16.jpg LS11 Windows 7-17.jpg <ul><ul><li>When we click on the lock icon:
  275. 275. We see the site is identified as: </li></ul></ul><ul><ul><ul><li>inotes.spicyssl.com </li></ul></ul></ul><ul><ul><li>The connection to the server is encrypted. </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  276. 276. <ul>Wildcard SSL Certificate 16 </ul><ul><li>By clicking View Certificate we see that the certificate was issued to: </li></ul><ul><ul><li>*.spicyssl.com </li></ul></ul>LS11 Windows 7-18.jpg <ul>© 2011 IBM Corporation </ul>
  277. 277. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host </li></ul></ul></ul><ul><ul><ul><li>Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><ul><li>Migrating a Notes Certifier to the Domino CA </li></ul></ul></ul><ul><ul><li>Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  278. 278. Q & A
  279. 279. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  280. 280. <ul>Domino’s Certificate Authority (CA) process </ul><ul><li>The Domino CA process can issue both Notes ID and Internet Certificates and runs as an automated process on your Domino server.
  281. 281. It allows you to off-load the tasks of Notes ID creation and Certificate issuing to others without giving them your certifier ids and passwords.
  282. 282. Internet certificate request are processed more easily.
  283. 283. Maintains Issued Certificate Lists (ICL) and revocation lists. </li></ul><ul>© 2011 IBM Corporation </ul>
  284. 284. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  285. 285. Managing the CA process
  286. 286. Add an Internet Certifier to the CA process
  287. 287. Create a Certificate Request database for the Internet Certifier
  288. 288. Create a KeyRing.kyr file
  289. 289. Set up SSL on the Domino server
  290. 290. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  291. 291. <ul>Migrate Notes Certifier to the CA Process 1 </ul><ul><li>Domino Admin client </li></ul><ul><li>Configuration Tab
  292. 292. Tools
  293. 293. Certification
  294. 294. Migrate Certifier </li></ul><ul>© 2011 IBM Corporation </ul>
  295. 295. <ul>Migrate Notes Certifier to the CA Process 2 </ul><ul><li>Click Select </li></ul><ul>© 2011 IBM Corporation </ul>
  296. 296. <ul>Migrate Notes Certifier to the CA Process 3 </ul><ul><li>Browse to the certifier being migrated and click Select </li></ul>LS11 Windows 7-2.jpg <ul>© 2011 IBM Corporation </ul>
  297. 297. <ul>Migrate Notes Certifier to the CA Process 4 </ul><ul><li>Click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  298. 298. <ul>Migrate Notes Certifier to the CA Process 5 </ul><ul><li>Input certifier password and click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  299. 299. <ul>Migrate Notes Certifier to the CA Process 6 </ul><ul><li>The next slides explain the options on this page. </li></ul>LS11 Windows 7-3.jpg <ul>© 2011 IBM Corporation </ul>
  300. 300. <ul>Migrate Notes Certifier to the CA Process 7 Migrate Certifier Options </ul><ul><li>Select the server on which the certifier will run.
  301. 301. It is suggested that you leave the default path and name of the ICL database.
  302. 302. How this certifier is protected: </li></ul><ul><ul><li>Encrypt Certifier ID with Server ID </li></ul></ul><ul><ul><ul><li>This will encrypt the certifier with the server’s ID. No additional password or action will be required to use this certifier. You can isolate your CA server and add a password to the server ID for added security. </li></ul></ul></ul><ul><ul><li>Require password to activate </li></ul></ul><ul><ul><ul><li>More secure but requires that you issue the “tell ca activate <password>” command after loading the CA task. </li></ul></ul></ul><ul><ul><li>Locking ID </li></ul></ul><ul><ul><ul><li>High security, if you use this option, I recommend creating a special id. Keep in mind password expiration or Notes certificate expiration will cause issues. This option requires that you issue the “tell ca unlock <pathfilename> <password>” command on the server console. </li></ul></ul></ul><ul>© 2011 IBM Corporation </ul>
  303. 303. <ul>Migrate Notes Certifier to the CA Process 8 Migrate Certifier Options </ul><ul><li>Certificate Authority Administrator (CAA) </li></ul><ul><ul><li>A CAA can create and modify certifiers deployed in the Domino CA.
  304. 304. Only a CAA can edit the “Password recovery” information in a certifier.
  305. 305. The CAA can also add and edit the roles assigned to others.
  306. 306. A CAA must have at least “Editor” access to the Domino Directory.
  307. 307. Best Practice is to assign at least 2 CAAs to each certifier. </li></ul></ul><ul><li>Registration Authority (RA) </li></ul><ul><ul><li>Approves or denies Notes or Internet certificate requests.
  308. 308. Can revoke certificates that can no longer be trusted.
  309. 309. Must have at least Author access with “Create Document” privilege and “User Creator” role to the Domino Directory. </li></ul></ul><ul><li>The main advantage of separating the roles is to off-load these tasks from the Domino or CA administrator.
  310. 310. If you use the Web Administrator client, the Domino server must be listed as an RA. </li></ul><ul>© 2011 IBM Corporation </ul>
  311. 311. <ul>Migrate Notes Certifier to the CA Process 9 </ul><ul><li>Add your server as an RA
  312. 312. Click OK </li></ul>LS11 Windows 7-4.jpg LS11 Windows 7-5.jpg <ul>© 2011 IBM Corporation </ul>
  313. 313. <ul>Migrate Notes Certifier to the CA Process 10 </ul><ul><li>After a few seconds the Success prompt will appear.
  314. 314. Click “OK” </li></ul>LS11 Windows 7-6.jpg <ul>© 2011 IBM Corporation </ul>
  315. 315. <ul>Migrate Notes Certifier to the CA Process 11 </ul><ul><li>To start the CA process, open the Domino Admin Client Server Console and issue the “load ca” command. </li></ul>LS11 Windows 7-40.jpg <ul>© 2011 IBM Corporation </ul>
  316. 316. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process </li></ul><ul><li>Managing the CA process
  317. 317. Add an Internet Certifier to the CA process
  318. 318. Create a Certificate Request database for the Internet Certifier
  319. 319. Create a KeyRing.kyr file
  320. 320. Set up SSL on the Domino server
  321. 321. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  322. 322. <ul>Commands used to Manage the CA Process </ul><ul><li>The most common CA commands are: </li></ul><ul><ul><li>load ca – loads the CA task on the Domino Server
  323. 323. tell ca refresh – causes the CA task to reload the certifiers list (certifiers will need to be unlocked or activated again
  324. 324. tell ca quit – stops the CA task
  325. 325. tell ca stat – displays summary information about the certifiers including it’s number
  326. 326. tell ca activate certifier number <password> - activates a specific certifier
  327. 327. tell ca unlock <pathfile.id> <password> - unlocks all certifiers the id protects
  328. 328. tell ca help – gives a list all of the CA options </li></ul></ul><ul><li>You can also deactivate or lock individual certifiers
  329. 329. Add the CA task to the ServerTasks= line of your server’s notes.ini so that the CA task will load at server startup. </li></ul><ul>© 2011 IBM Corporation </ul>
  330. 330. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host </li></ul></ul></ul><ul><ul><ul><li>Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><ul><li>Migrating a Notes Certifier to the Domino CA </li></ul></ul></ul><ul><ul><ul><li>Adding a Internet Certifier to the Domino CA </li></ul></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  331. 331. Q & A
  332. 332. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  333. 333. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  334. 334. Managing the CA process </li></ul><ul><li>Add an Internet Certifier to the CA process
  335. 335. Create a Certificate Request database for the Internet Certifier
  336. 336. Create a KeyRing.kyr file
  337. 337. Set up SSL on the Domino server
  338. 338. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  339. 339. <ul>Add an Internet certifier to the CA Process 1 </ul><ul><li>Domino Admin client </li></ul><ul><li>Configuration
  340. 340. Tools
  341. 341. Registration
  342. 342. Internet Certifier </li></ul>LS11 Windows 7-7.jpg <ul>© 2011 IBM Corporation </ul>
  343. 343. <ul>Add an Internet certifier to the CA Process 2 </ul><ul><li>Select “I want to register a new internet certifier that uses the CA process” </li></ul><ul><ul><ul><li>“ I have a keyring file I want to register” would be used if you had an existing Internet Certifier (R5 Certifier Key Ring) you wanted to migrate into the CA process </li></ul></ul></ul><ul><li>Click “Ok” </li></ul>LS11 Windows 7-8.jpg <ul>© 2011 IBM Corporation </ul>
  344. 344. <ul>Add an Internet certifier to the CA Process 3 </ul><ul><li>On the Basics tab of the “Register New Internet Certifier” window. Again lets use Encrypt certifier ID with the Server ID and click “Create Certifier Name”. </li></ul>LS11 Windows 7-9.jpg <ul>© 2011 IBM Corporation </ul>
  345. 345. <ul>Add an Internet certifier to the CA Process 4 </ul><ul><li>The Common Name field is required.
  346. 346. Again, no abbreviations in the State or Province field.
  347. 347. You can see the Certifier Name being built as you fill in the various fields.
  348. 348. Click “Ok” </li></ul>LS11 Windows 7-10.jpg <ul>© 2011 IBM Corporation </ul>
  349. 349. <ul>Add an Internet certifier to the CA Process 5 </ul><ul>Certificates Tab </ul><ul><li>The “Include CRL distribution point extension” option, enabled by default, sets an attribute that identifies the location of the Certificate Revocation List (CRL)
  350. 350. By clicking “Detail” You will see the location for the CRL will be LDAP on the Domino server
  351. 351. “ Backdate certificate validity” is also enabled by default. The time a CA warrants that it will keep information, regarding a certificate, is defined as the certificate validity period. </li></ul>LS11 Windows 7-12.jpg <ul>© 2011 IBM Corporation </ul>
  352. 352. <ul>Add an Internet certifier to the CA Process 5 </ul><ul>Certificates Tab continued </ul><ul><li>By default a certifier is permitted to issue certificates for all Key Usage options.
  353. 353. The two most common keys are checked as default: </li></ul><ul><ul><li>Digital Signature </li></ul></ul><ul><ul><ul><li>Used when authenticating data origin integrity. </li></ul></ul></ul><ul><ul><li>Data Encipherment </li></ul></ul><ul><ul><ul><li>Used when public key is used for encrypting user data. </li></ul></ul></ul>LS11 Windows 7-11.jpg <ul>© 2011 IBM Corporation </ul>
  354. 354. <ul>Add an Internet certifier to the CA Process 6 </ul><ul><li>Key Usage defines the purpose of the certificate. You select all or restrict to only as few usages as necessary.
  355. 355. Other Standard Key Usages are: </li></ul><ul><ul><li>Non-repudiation – used to insure that the sender of a message can not deny having sent it or the receiver not deny having received it.
  356. 356. Key encipherment – used for data encryption protocol in SSL and S/MIME
  357. 357. Key agreement – used when sender and receiver need to derive or agree on a key without using encryption, once agreed, this key is then used to encrypt data
  358. 358. Certificate signing – used for verifying a signature on public key certificates
  359. 359. CRL signing – used for verifying a signature on Certificate Revocation List
  360. 360. Encipher only – must be used in conjunction with Key Agreement – the subject public key may only be used for encrypting data
  361. 361. Decipher only – must be used in conjunction with Key Agreement – the subject public key may only be used for decrypting data </li></ul></ul><ul><li>Extend keys further refine or restrict the standard key usages. </li></ul><ul>© 2011 IBM Corporation </ul>
  362. 362. <ul>Add an Internet certifier to the CA Process 7 </ul><ul><li>Key Usage defines the purpose of the certificate. You select all or restrict to only a few usages for as necessary.
  363. 363. Examples of Applications and Required Key Usage: </li></ul><ul><ul><li>SSL Client, S/MIME Signing or Object Signing require “Digital Signature”.
  364. 364. SSL Server and S/MIME Encryption require “Key Encipherment”.
  365. 365. Certificate Signing requires “Certificate Signing”. </li></ul></ul><ul><li>Choose the options that match your certificate’s purpose. </li></ul><ul>© 2011 IBM Corporation </ul>
  366. 366. <ul>Add an Internet certifier to the CA Process 8 </ul><ul><li>Since we are going to be using S/MIME add “Key Encipherment” to the “Default” selection. </li></ul>LS11 Windows 7-13.jpg <ul>© 2011 IBM Corporation </ul>
  367. 367. <ul>Add an Internet certifier to the CA Process 9 </ul><ul>On the Misc. tab </ul><ul><li>Click “Create a local copy of the certifier ID”.
  368. 368. Set ID File path and name.
  369. 369. Enter the password.
  370. 370. Click “OK” the ID file prompt and again on the “Creating certifier” dialog box. </li></ul><ul>In order to have the CA process pick up the new certifier enter “tell ca refresh” on the Domino Admin Server Console. </ul><ul>© 2011 IBM Corporation </ul>
  371. 371. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  372. 372. Managing the CA process
  373. 373. Add an Internet Certifier to the CA process </li></ul><ul><li>Create a Certificate Request database for the Internet Certifier
  374. 374. Create a KeyRing.kyr file
  375. 375. Set up SSL on the Domino server
  376. 376. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  377. 377. <ul>Create Certificate Requests database 1 </ul><ul><li>From the Notes Client choose File – Application - New </li></ul>LS11 Windows 7-18.jpg <ul>© 2011 IBM Corporation </ul>
  378. 378. <ul>Create Certificate Requests database 2 </ul><ul><li>Select Server
  379. 379. File Name
  380. 380. Database Title
  381. 381. Choose Template server
  382. 382. Show advanced templates
  383. 383. Select “Certificate Requests (8)” certreq.ntf
  384. 384. Click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  385. 385. <ul>Create Certificate Requests database 3 </ul><ul><li>When the database has been created the “About..” document will appear.
  386. 386. Review the instructions for using the Certificate Request Database. </li></ul><ul>© 2011 IBM Corporation </ul>
  387. 387. <ul>Create Certificate Requests database 4 </ul><ul><li>Select the Server and Certifier from the drop down list.
  388. 388. We are going to use this Certificate Request database for both Client and Server Certificates.
  389. 389. Set the Validity Period as deisred for Client Requests.
  390. 390. The default Key and Extended Key Usages are adequate for our purposes . </li></ul>LS11 Windows 7-20.jpg <ul>© 2011 IBM Corporation </ul>
  391. 391. <ul>Create Certificate Requests database 5 </ul><ul><li>Select any other “Key Usage” keywords to suit your installation.
  392. 392. These are the “Extended Key Usage” options. </li></ul>LS11 Windows 7-21.jpg LS11 Windows 7-22.jpg <ul>© 2011 IBM Corporation </ul>
  393. 393. <ul>Create Certificate Requests database 6 </ul><ul>Server Request Customization </ul><ul><li>Set the Validity Period as appropriate.
  394. 394. Again the default Key and Extended Key Usages can be set as desired.
  395. 395. If you choose Automatic as the processing method, another field “Automatic Transfer Server” will appear for you to specify the server running AdminP and to which requests are to be transferred.
  396. 396. Mail completed confirmation request to the requestor “Yes or No”.
  397. 397. Click “Save & Close”. </li></ul>LS11 Windows 7-24.jpg <ul>© 2011 IBM Corporation </ul>
  398. 398. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  399. 399. Managing the CA process
  400. 400. Add an Internet Certifier to the CA process
  401. 401. Create a Certificate Request database for the Internet Certifier </li></ul><ul><li>Create a KeyRing.kyr file
  402. 402. Set up SSL on the Domino server
  403. 403. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  404. 404. <ul>Create KeyRing.kyr for server-based CA 1 </ul><ul><li>Open the “Certificate Requests” database we just created.
  405. 405. In the “Domino Key Ring Management folder”.
  406. 406. Select “Create Key Ring”. </li></ul>LS11 Windows 7-25.jpg <ul>© 2011 IBM Corporation </ul>
  407. 407. <ul>Create KeyRing.kyr for server-based CA 2 </ul><ul><li>Complete the Create Key Ring form as we have in the previous examples
  408. 408. Click “OK” on the Key Ring Created prompt when it appears </li></ul>LS11 Windows 7-26.jpg LS11 Windows 7-27.jpg <ul>© 2011 IBM Corporation </ul>
  409. 409. <ul>Create KeyRing.kyr for server-based CA 3 </ul><ul><li>The “Trusted Root” certificate for the Domino Internet CA will automatically be installed into the new KeyRing.kyr file.
  410. 410. Note the CA Certificate information we entered when we created the Internet Certifier appears as the Certificate Issuer in the “Merge Trusted Root Certificate Confirmation” dialog box.
  411. 411. Verify the information and Click “OK”. </li></ul>LS11 Windows 7-29.jpg LS11 Windows 7-30.jpg <ul>© 2011 IBM Corporation </ul><ul><li>Click “OK” on the Certificate received into key ring and designated as trusted root prompt. </li></ul>
  412. 412. <ul>Create KeyRing.kyr for server-based CA 4 </ul><ul><li>When the “Certificate Request Successfully Created for Key Ring” prompt appears, click “OK”. </li></ul>LS11 Windows 7-31.jpg <ul>© 2011 IBM Corporation </ul>
  413. 413. <ul>Create KeyRing.kyr for server-based CA 5 </ul><ul><li>A CSR will automatically be created.
  414. 414. Since we selected “Manual” as the processing method in our Certificate Request database we must submit the request to AdminP for processing. </li></ul><ul><li>Open the Pending/Submitted Request view in the Certificate Request database.
  415. 415. Select the request.
  416. 416. Click “Submit Selected Requests”. </li></ul>LS11 Windows 7-33.jpg <ul>© 2011 IBM Corporation </ul><ul><li>Click “OK” on the Successfully submitted prompt </li></ul>
  417. 417. <ul>Create KeyRing.kyr for server-based CA 6 </ul><ul><li>An authorized Registration Authority (RA) must open the Administration Request database and approve the request. </li></ul><ul><ul><li>Certificate Request view.
  418. 418. Open the new request. </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  419. 419. <ul>Create KeyRing.kyr for server-based CA 7 </ul><ul><li>Verify the information.
  420. 420. Edit the request.
  421. 421. Click “Approve Request”. </li></ul>LS11 Windows 7-35.jpg LS11 Windows 7-36.jpg <ul>© 2011 IBM Corporation </ul>
  422. 422. <ul>Create KeyRing.kyr for server-based CA 8 </ul><ul><li>Open the Certificate Requests database </li></ul><ul><ul><li>Pending/Submitted Request view.
  423. 423. Select the document.
  424. 424. Click “Pull Selected Requests”. </li></ul></ul>LS11 Windows 7-39.jpg <ul><li>Click “OK” on the Successfully pulled prompt. </li></ul><ul>© 2011 IBM Corporation </ul>
  425. 425. <ul>Create KeyRing.kyr for server-based CA 9 </ul><ul><li>Open your mail file and locate the “Your certificate request has been approved” message.
  426. 426. Copy the pickup ID to your clipboard. </li></ul>LS11 Windows 7-41.jpg <ul>© 2011 IBM Corporation </ul>
  427. 427. <ul>Create KeyRing.kyr for server-based CA 10 </ul><ul><li>Alternatively, you can open the Certificate Request Database.
  428. 428. Go to the Issued/Rejected Certificates view.
  429. 429. Open the Certificate Issued document.
  430. 430. Copy the Pickup ID from the Request ID field. </li></ul><ul>*Not necessary if you copied it from the email message. </ul>LS11 Windows 7-42.jpg <ul>© 2011 IBM Corporation </ul>
  431. 431. <ul>Create KeyRing.kyr for server-based CA 11 </ul><ul><li>Open the Certificate Request database.
  432. 432. Click “Pickup Key Ring Certificate”. </li></ul>LS11 Windows 7-43.jpg <ul>© 2011 IBM Corporation </ul>
  433. 433. <ul>Create KeyRing.kyr for server-based CA 12 </ul><ul><li>Input the path and name of your KeyRing.kyr file.
  434. 434. Input the password for the KeyRing.kyr file.
  435. 435. Paste the Pickup ID into the last field.
  436. 436. Click “Pickup Certificate”. </li></ul>LS11 Windows 7-45.jpg <ul><li>Verify the information on the “Merge Signed Certificate Confirmation” prompt.
  437. 437. Click “OK”. </li></ul><ul>© 2011 IBM Corporation </ul>
  438. 438. <ul>Create KeyRing.kyr for server-based CA 13 </ul><ul><li>Click “OK” on the Certificate received into key ring prompt.
  439. 439. Copy or FTP the KeyRing.kyr and KeyRing.sth file to the DominoData directory on your server. </li></ul>LS11 Windows 7-46.jpg <ul>© 2011 IBM Corporation </ul>
  440. 440. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  441. 441. Managing the CA process
  442. 442. Add an Internet Certifier to the CA process
  443. 443. Create a Certificate Request database for the Internet Certifier
  444. 444. Create a KeyRing.kyr file </li></ul><ul><li>Set up SSL on the Domino server
  445. 445. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  446. 446. <ul>Setup SSL on the Domino Server </ul><ul><li>The procedures are the same as listed for the single server or the Internet Sites document from previous examples.
  447. 447. We are going to Edit the Internet Site document we used last and replace the WildKeyRing.kyr with the DomCAKR.kyr we just created for Domino Certificate Authority.
  448. 448. Then issue the “restart task http” from the Domino Admin Client Server Console. </li></ul><ul>© 2011 IBM Corporation </ul>LS11 Windows 7-47.jpg
  449. 449. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  450. 450. Managing the CA process
  451. 451. Add an Internet Certifier to the CA process
  452. 452. Create a Certificate Request database for the Internet Certifier
  453. 453. Create a KeyRing.kyr file
  454. 454. Set up SSL on the Domino server </li></ul><ul><li>Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  455. 455. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 1 </ul><ul><li>Oops – When we browse back to our server, we get the dreaded “There is a problem with this website’s security certificate” error
  456. 456. This is because ????? </li></ul>LS11 Windows 7-148.jpg <ul>© 2011 IBM Corporation </ul>
  457. 457. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 2 </ul><ul><li>The Certificate Authority that we created is not a Trusted Authority in the browser.
  458. 458. You can open standard HTTP:// access and send end users a URL link to the Domino CA Certificate Request database. This database has a built in function to accept the Domino Certificate Authority as a Trusted Root in their browser as we are about to see. </li></ul><ul>© 2011 IBM Corporation </ul>
  459. 459. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 3 </ul><ul><li>Browse to the Domino CA Certificate Request database, http://hotchilies.spicyssl.com/certreq.nsf
  460. 460. Select “Accept This Authority In Your Browser” </li></ul>Windows XP Albemarle-4.jpg <ul>© 2011 IBM Corporation </ul>
  461. 461. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 4 </ul><ul><li>If the browser displays a warning bar at the top of the window, click on it and then click “Run Add-on”. </li></ul><ul><li>Click “Run” on the Security Warning.
  462. 462. You will be returned to the Domino CA Certificate Requests database.
  463. 463. Click “Accept This Authority In Your Browser” again. </li></ul>Windows XP Albemarle-1.jpg Windows XP Albemarle-2.jpg Windows XP Albemarle-3.jpg <ul>© 2011 IBM Corporation </ul>
  464. 464. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 5 </ul><ul><li>Click “Install Certificate” </li></ul>Windows XP Albemarle-5.jpg <ul>© 2011 IBM Corporation </ul>
  465. 465. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 6 </ul><ul><li>Click “Yes” on the Potential Security Violation prompt. </li></ul><ul><li>Click “Yes” on the Security Warning. </li></ul>Windows XP Albemarle-6.jpg Windows XP Albemarle-7.jpg <ul>© 2011 IBM Corporation </ul>
  466. 466. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 7 </ul><ul><li>Verify that the Domino CA Certificate was installed as a Trusted Root in your browser. </li></ul><ul><li>Open browser
  467. 467. Click “Tools”
  468. 468. “ Internet Options” </li></ul>Windows XP Albemarle-9.jpg <ul>© 2011 IBM Corporation </ul>
  469. 469. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 8 </ul><ul><li>On the “Content” tab
  470. 470. Select “Certificates” </li></ul>Windows XP Albemarle-10.jpg <ul>© 2011 IBM Corporation </ul>
  471. 471. <ul>Install the Domino Internet Certifier Trusted Root Certificate into your browser 9 </ul><ul><li>Go to the “Trusted Root Certification Authorities” tab.
  472. 472. Scroll through the list and you should find your Domino CA Certificate. </li></ul><ul>* An alternate method of installing the Domino CA Trusted Root certificate is provides as Appendix 1 at the end of the presentation </ul>Windows XP Albemarle-11.jpg <ul>© 2011 IBM Corporation </ul>
  473. 473. <ul>Setting up Domino Certificate Authority </ul><ul><li>Migrate a Notes Certifier to the CA Process
  474. 474. Managing the CA process
  475. 475. Add an Internet Certifier to the CA process
  476. 476. Create a Certificate Request database for the Internet Certifier
  477. 477. Create a KeyRing.kyr file
  478. 478. Set up SSL on the Domino server
  479. 479. Install the Domino Internet Certifier Trusted Root certificate into your browser </li></ul><ul>© 2011 IBM Corporation </ul>
  480. 480. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host </li></ul></ul></ul><ul><ul><ul><li>Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier into Domino CA
  481. 481. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  482. 482. Q & A
  483. 483. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  484. 484. <ul>S/MIME and X.509 Certificates for secure email 1 </ul><ul><li>Now that we have Domino Certificate Authority setup with an Internet Certificate, we can create Internet Certificates for our Notes Clients.
  485. 485. The CA’s Trusted Root Certificate must be in either the Domino Directory or the client’s contact database (personal address book), however it’s much simpler for your Notes clients if it’s in the Domino Directory.
  486. 486. As the Administrator for your domain, you must decide: </li></ul><ul><ul><li>Issue Internet Certificates via the Domino Admin Client? If your primary goal is S/MIME encrypted email, you can issue Internet Certificates Request for your Notes clients from the Domino Admin client. The CA will process the request, add them to the Person Document and automatically import them in Notes ID files.
  487. 487. Or do you want to require Client Certificates in the end user’s browser for additional access control to your Domino servers? This option requires an end user to submit a request and pickup the signed certificate from the Domino Certificate Request database and then install the certificate into their browser?
  488. 488. Or a combination of the two? </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  489. 489. <ul>S/MIME and X.509 Certificates for secure email 2 </ul><ul><li>Administrator adds internet certificates to the Domino Directory: </li></ul><ul><ul><li>The easiest method to accomplish issuing X.509 certificates for email encryption is for the Domino Administrator to request certificates via the Domino Administrator client. </li></ul></ul><ul><ul><ul><li>The CA adds the Internet Certificate to the user’s Person Doc in the Domino Directory.
  490. 490. When the user authenticates with their home mail server, the Internet Certificate is automatically merged into the Notes ID file. </li></ul></ul></ul><ul><li>Client Requests Cross Certificate: </li></ul><ul><ul><li>If you want to use browser internet certificates for authentication and SSL encryption: </li></ul></ul><ul><ul><ul><li>Browse to and request a certificate from the Certificate Request Database.
  491. 491. An RA approves the request, the CA processes the request, and Domino submits an AdminP request to add the Internet Certificate to the person document in the Domino Directory. The CA emails the end user a pickup ID and then the end user installs the certificate into their browser.
  492. 492. The client merges the Certificate into their Notes ID file. </li></ul></ul></ul><ul>© 2011 IBM Corporation </ul>
  493. 493. <ul>S/MIME and X.509 Certificates for secure email 3 </ul><ul>Administrator Issues Internet Certificate to the Person Document </ul><ul><li>Be sure the Domino CA process is setup and running
  494. 494. Open the Domino Admin Client </li></ul><ul><ul><li>People & Groups Tab
  495. 495. People
  496. 496. Select names to receive Internet Certificates </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  497. 497. <ul>S/MIME and X.509 Certificates for secure email 4 </ul><ul><li>From the Menu Bar </li></ul><ul><ul><li>Click “Actions”
  498. 498. Choose “Add Internet Cert to Selected People”. </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  499. 499. <ul>S/MIME and X.509 Certificates for secure email 5 </ul><ul><li>Choose a Certifier prompt box </li></ul><ul><ul><li>Select your registration server.
  500. 500. Select “Use the CA Process”.
  501. 501. Select your Internet Certificate as the “CA configured certifier”.
  502. 502. Click “OK”. </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  503. 503. <ul>S/MIME and X.509 Certificates for secure email 6 </ul><ul><li>Review the Information in the Add Internet Certificate to Selected Entries box and click “Certify”.
  504. 504. Click “OK” on the Processing Statistics prompt. </li></ul><ul>© 2011 IBM Corporation </ul>
  505. 505. <ul>S/MIME and X.509 Certificates for secure email 7 </ul><ul><li>A Certificate Request is added to the AdminP database for each person selected. </li></ul><ul>© 2011 IBM Corporation </ul>
  506. 506. <ul>S/MIME and X.509 Certificates for secure email 8 </ul><ul><li>When the CA processes the Certificate Request, it then creates a “Store Certificate in Domino or LDAP Directory” request in the AdminP database. </li></ul><ul>© 2011 IBM Corporation </ul>
  507. 507. <ul>S/MIME and X.509 Certificates for secure email 9 </ul><ul><li>After a replication cycle completes to the user’s mail server, and the user accesses their mail file, Lotus Notes sees that there is an Internet Certificate available in their Person Document and automatically downloads it to their Notes ID file. </li></ul><ul>© 2011 IBM Corporation </ul>
  508. 508. <ul>S/MIME and X.509 Certificates for secure email 10 </ul><ul><li>To View the Internet Certificate Information in your Notes ID. </li></ul><ul><ul><li>File
  509. 509. Security
  510. 510. User Security </li></ul></ul><ul><li>Enter Your Password and click “Log In”. </li></ul>LS11 Windows 7-1.jpg <ul>© 2011 IBM Corporation </ul>
  511. 511. <ul>S/MIME and X.509 Certificates for secure email 11 </ul><ul><li>Expand “Your Identity” – Select “Your Certificates” – Choose “Your Internet Certificates” to view your Internet Certificate information. </li></ul><ul>© 2011 IBM Corporation </ul>
  512. 512. <ul>S/MIME and X.509 Certificates for secure email 12 </ul><ul><li>Now the you have an Internet Certificate, how do you go about exchanging Secure Email with someone else?
  513. 513. You have to Cross Certify and swap public keys with the other person.
  514. 514. You do this by sending each other a “Signed” email. The signature contains your public key information.
  515. 515. Each must store the other’s public key in their Contact database (Personal Address Book) by “Adding Sender to Address Book”.
  516. 516. Then you can send and receive S/MIME encrypted emails. </li></ul><ul>© 2011 IBM Corporation </ul>
  517. 517. <ul>S/MIME and X.509 Certificates for secure email 13 </ul><ul><li>Create and Sign an email to your associate.
  518. 518. After creating the message select: </li></ul><ul><li>Delivery Options
  519. 519. Sign
  520. 520. OK
  521. 521. Send </li></ul><ul>© 2011 IBM Corporation </ul><ul>[email_address] </ul>
  522. 522. <ul>S/MIME and X.509 Certificates for secure email 14 </ul><ul><li>When your associate opens the email, they will be prompted to “Cross Certify” with the certificate contained in your signature.
  523. 523. Notice that it is your ID that is doing the cross certification.
  524. 524. And the server to contain the certificate will be the “Local” names.nsf.
  525. 525. Click “Cross certify”. </li></ul>Windows 7 x64.jpg <ul>© 2011 IBM Corporation </ul><ul>John Doe/XYZ </ul>
  526. 526. <ul>S/MIME and X.509 Certificates for secure email 15 </ul><ul><li>Your associate will need to add or update the information in their Contact database by: </li></ul><ul><ul><li>Clicking on “More”
  527. 527. Add Sender to Contacts </li></ul></ul><ul><li>If they are already in your Contacts, you will be prompted to replace the contact record that is there.
  528. 528. Be sure “Include X.509 certificates when encountered” is checked.
  529. 529. Click “OK” </li></ul>Windows 7 x64-1.jpg Windows 7 x64-2.jpg <ul>© 2011 IBM Corporation </ul>
  530. 530. <ul>S/MIME and X.509 Certificates for secure email 16 </ul><ul><li>You will receive a “Contacts successfully updated” prompt. Click “OK” </li></ul><ul>Your associate must send you a signed message so that you can cross certify with their Internet Certificate. Once you have both Cross Certified and have stored each other’s public key in your Contacts databases, you can send and receive S/MIME encrypted email to each other. </ul>Windows 7 x64-3.jpg <ul>© 2011 IBM Corporation </ul>
  531. 531. <ul>S/MIME and X.509 Certificates for secure email 17 </ul><ul><li>When you receive an encrypted email, your Notes client will automatically decrypt the message when opened.
  532. 532. The status bar at the bottom of your Notes client will display “Decrypting document…”. </li></ul>Windows 7 x64-4.jpg <ul>© 2011 IBM Corporation </ul><ul>John Doe/XYZ </ul><ul>John Doe/XYZ </ul>
  533. 533. <ul>S/MIME and X.509 Certificates for secure email 18 </ul><ul><li>Little Bug…. </li></ul><ul><ul><li>Server Configuration Document
  534. 534. MIME
  535. 535. Advanced
  536. 536. Advanced Outbound Message
  537. 537. RFC822 Phrase Handling </li></ul></ul><ul><li>If this is set to “Use CN as phrase” for friendly email reply addresses, and you are sending your public key to a Notes client at another company, they will have issues adding your public key to their Contact database. </li></ul>Windows 7 x64-5.jpg <ul>© 2011 IBM Corporation </ul>
  538. 538. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host </li></ul></ul></ul><ul><ul><ul><li>Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier into Domino CA
  539. 539. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates </li></ul><ul><li>Q & A
  540. 540. Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  541. 541. <ul>Agenda </ul><ul><li>It's a matter of Trust & Security </li></ul><ul><ul><ul><li>Or why Certificates and SSL are necessary </li></ul></ul></ul><ul><li>Definitions </li></ul><ul><li>Using 3rd Party Certificate Authorities </li></ul><ul><ul><ul><li>Single Host </li></ul></ul></ul><ul><ul><ul><li>Multi Host with “Wildcard” SSL Certificate </li></ul></ul></ul><ul><li>Domino's Certificate Authority (CA) process </li></ul><ul><ul><li>Migrating a Notes Certifier into Domino CA
  542. 542. Adding a Internet Certifier to the Domino CA </li></ul></ul><ul><li>Secure Email with S/MIME and X.509 Certificates
  543. 543. Q & A </li></ul><ul><li>Don't forget your evaluations </li></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  544. 544. <ul>Links for more information </ul><ul><li>http://en.wikipedia.org/wiki/Transport_Layer_Security
  545. 545. http://www.redbooks.ibm.com/abstracts/redp0046.html?Open
  546. 546. http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf (page 66)
  547. 547. Frequently Asked Questions: Using SSL with Notes and Domino </li></ul><ul><ul><li>http://www-01.ibm.com/support/docview.wss?uid=swg21218820 </li></ul></ul><ul>© 2011 IBM Corporation </ul>
  548. 548. <ul>Appendices </ul><ul><li>Appendix 1 </li></ul><ul><ul><ul><ul><li>Install the Domino CA Certifier Trusted Root Certificate Alternate Method </li></ul></ul></ul></ul><ul><li>Appendix 2 </li></ul><ul><ul><li>Requesting, Processing & Installing a Client Certificate from a Domino CA Single Host </li></ul></ul><ul><ul><ul><li>Appendix 3 </li></ul></ul></ul><ul><ul><li>Export a X.509 Certificate from your browser and Import into your Notes ID </li></ul></ul><ul></ul><ul>© 2011 IBM Corporation </ul>
  549. 549. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 1 </ul><ul><li>Click “Continue to the website (not recommended)”.
  550. 550. Then click on the “Certificate Error” in the browser bar </li></ul><ul>© 2011 IBM Corporation </ul>
  551. 551. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 2 </ul><ul><li>The Untrusted Certificate explanation will appear.
  552. 552. Click “View certificates”. </li></ul><ul>© 2011 IBM Corporation </ul>
  553. 553. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 3 </ul><ul><li>Go to the “Certification Path” tab
  554. 554. Notice at the bottom of the prompt box: </li></ul><ul>“ This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.” </ul><ul><li>Double click on the Certificate Authority name – NOT the server name </li></ul><ul>© 2011 IBM Corporation </ul>
  555. 555. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 4 </ul><ul><li>Click “Install Certificate”.
  556. 556. The Certificate Import Wizard will launch.
  557. 557. Click “Next”. </li></ul><ul>© 2011 IBM Corporation </ul>
  558. 558. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 5 </ul><ul><li>Select “Place all certificates in the following store”.
  559. 559. Click “Browse”.
  560. 560. Select “Trusted Root Certification Authorities”.
  561. 561. Click “OK”. </li></ul><ul>© 2011 IBM Corporation </ul>
  562. 562. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 6 </ul><ul><li>Click “Next”.
  563. 563. Then click “Finish”. </li></ul><ul>© 2011 IBM Corporation </ul>
  564. 564. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 7 </ul><ul><li>Click “Yes” on the Security Warning prompt.
  565. 565. Click “OK” on The import was successful prompt. </li></ul><ul>© 2011 IBM Corporation </ul>
  566. 566. <ul>Appendix 1 Install the Domino CA Certifier Trusted Root Certificate alternate method 8 </ul><ul><li>Close and re-launch your browser. When you browse to your server this time you should no longer receive a security warning. You should see the Lock Icon and be prompted for your user name and password. </li></ul><ul>© 2011 IBM Corporation </ul>
  567. 567. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 1 </ul><ul><li>Whether you are requesting a Client Certificate from a 3 rd Party CA or a Domino CA, the procedures are basically the same. </li></ul><ul><li>Browse to the CA’s website.
  568. 568. Request a Client Certificate.
  569. 569. The CA will process the Certificate Request.
  570. 570. The CA will notify you via email that the certificate is ready for pickup.
  571. 571. Browse to the CA’s Pickup site.
  572. 572. Paste in the Pickup ID.
  573. 573. Install the trusted root and signed certificate into your browser. </li></ul><ul>© 2011 IBM Corporation </ul>
  574. 574. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 2 </ul><ul><li>Browse to your Domino CA’s Certificate Request database
  575. 575. Select “Request Client Certificate” </li></ul>LS11 Windows 7-207.jpg <ul>© 2011 IBM Corporation </ul>
  576. 576. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 3 </ul><ul><li>Complete the “Client Request Form”.
  577. 577. Remember – No abbreviations in State/Province field.
  578. 578. Domino defaults to a “High Grade” Key for client certificates.
  579. 579. Submit Certificate Request.
  580. 580. “ Certificate Request Has Been Submitted” will display on success. </li></ul>LS11 Windows 7-205.jpg <ul>© 2011 IBM Corporation </ul>
  581. 581. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 4 </ul><ul><li>The next 3 Procedures are performed by the Registration Authority (RA) </li></ul><ul><li>Open Certificate Request database
  582. 582. Pending/Submitted Request view
  583. 583. Select appropriate document(s)
  584. 584. Click “Submit Selected Requests” </li></ul>LS11 Windows 7-208.jpg <ul>© 2011 IBM Corporation </ul>
  585. 585. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 5 </ul><ul><ul><ul><li>Admin Request database
  586. 586. Certificate Request view
  587. 587. Open New Request document </li></ul></ul></ul>LS11 Windows 7-211.jpg <ul>© 2011 IBM Corporation </ul>
  588. 588. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 6 </ul><ul><li>Click “Edit Request”
  589. 589. Click “Approve Request&quot; </li></ul>LS11 Windows 7-213.jpg SHOW104.ppt.jpg <ul>© 2011 IBM Corporation </ul>
  590. 590. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 7 </ul><ul><li>Return to Certificate Request database
  591. 591. Pending/Submitted view
  592. 592. Click “Pull Selected Requests” </li></ul>LS11 Windows 7-214.jpg <ul><li>Click “OK” </li></ul>LS11 Windows 7-216.jpg <ul>© 2011 IBM Corporation </ul>
  593. 593. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 8 </ul><ul><li>The client receives an email with the pickup ID.
  594. 594. Copy the pickup ID to your clipboard. </li></ul>LS11 Windows 7-219.jpg <ul>© 2011 IBM Corporation </ul>
  595. 595. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 9 </ul><ul><li>Browse back to the Certifciate Request application
  596. 596. Click “Pick Up Client Certificate” </li></ul>LS11 Windows 7-221.jpg <ul>© 2011 IBM Corporation </ul>
  597. 597. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 10 </ul><ul><li>Paste the Pickup ID into the Pickup ID field
  598. 598. Click “Pick Up Client Certificate”
  599. 599. Click “Install Certificate” </li></ul>LS11 Windows 7-222.jpg LS11 Windows 7-223.jpg <ul>© 2011 IBM Corporation </ul>
  600. 600. <ul>Appendix 2 Requesting, Processing & Installing a Client Certificate from a Domino CA 11 </ul><ul><li>Click “OK’ </li></ul>LS11 Windows 7-225.jpg <ul>© 2011 IBM Corporation </ul>
  601. 601. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 1 </ul><ul><li>Once a certificate has been installed into your browser, you can Export the certificate and then Import it into your Notes ID file to be used for S/MIME Secure Email.
  602. 602. I will be exporting and importing a VeriSign Personal Certificate in this example.
  603. 603. Open your browser and select </li></ul><ul><li>Tools
  604. 604. Internet Options </li></ul>LS11 Windows 7.jpg <ul>© 2011 IBM Corporation </ul>
  605. 605. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 2 </ul><ul><li>On the “Content” tab
  606. 606. Click “Certificates” </li></ul>Windows 7 x64-153.jpg <ul>© 2011 IBM Corporation </ul>
  607. 607. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 3 </ul><ul><li>On the “Personal” tab
  608. 608. Select the certificate
  609. 609. Click “Export” </li></ul>Windows 7 x64-154.jpg <ul>© 2011 IBM Corporation </ul><ul>John Doe </ul>
  610. 610. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 4 </ul><ul><li>The “Certificate Export Wizard” will launch. </li></ul>Windows 7 x64-155.jpg Windows 7 x64-156.jpg <ul><li>Select “Yes” to export the private key
  611. 611. Click “Next” </li></ul><ul>© 2011 IBM Corporation </ul>
  612. 612. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 5 </ul><ul><li>Select “Personal Information Exchange – PKCS #12(.PFX) as the format.
  613. 613. Be sure to select “Include all certificates in the certification path if possible”
  614. 614. Click “Next” </li></ul>Windows 7 x64-173.jpg Windows 7 x64-171.jpg <ul>NOTE: If you fail to select “Include all certificates in the certification path if possible”, you will get the error to the right when you try to import your certificate into your Notes ID. </ul><ul>© 2011 IBM Corporation </ul>
  615. 615. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 6 </ul><ul><li>Input and confirm a password to protect your private key.
  616. 616. Click “Next” </li></ul>Windows 7 x64-158.jpg Windows 7 x64-159.jpg <ul><li>Select the folder
  617. 617. Input a file name
  618. 618. Click “Save” </li></ul><ul>© 2011 IBM Corporation </ul><ul>Johncert </ul>
  619. 619. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 7 </ul><ul><li>Click “Next” </li></ul>Windows 7 x64-160.jpg Windows 7 x64-161.jpg <ul><li>Review the information
  620. 620. Click “Finish” </li></ul><ul>© 2011 IBM Corporation </ul><ul>JohnCert.pfx </ul><ul>JohnCert.pfx </ul>
  621. 621. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 8 </ul><ul><li>Click “OK” on the Exporting your private exchange key prompt. </li></ul>Windows 7 x64-162-1.jpg Windows 7 x64-163.jpg <ul><li>Click “OK” on the Export successful prompt. </li></ul><ul>© 2011 IBM Corporation </ul>
  622. 622. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 9 </ul><ul><li>Open you Notes Client
  623. 623. File
  624. 624. Security
  625. 625. User Security
  626. 626. Input your password </li></ul>Windows 7 x64-164-1.jpg Windows 7 x64-165.jpg <ul>© 2011 IBM Corporation </ul><ul>John Doe </ul>
  627. 627. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 10 </ul><ul><li>Expand Your Identity
  628. 628. Your Certificates
  629. 629. Your Internet Certificates
  630. 630. Get Certificates </li></ul>Windows 7 x64-166.jpg <ul>© 2011 IBM Corporation </ul><ul>[email_address] </ul><ul>[email_address] </ul><ul>[email_address] </ul><ul>Internet Cert </ul><ul>Internet Cert </ul>
  631. 631. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 11 </ul><ul><li>Select “Import Internet Certificates” </li></ul>Windows 7 x64-167.jpg Windows 7 x64-168.jpg <ul><li>Browse to the .pfx file you just exported.
  632. 632. Click “Open” </li></ul><ul>© 2011 IBM Corporation </ul><ul>JohnCert.pfx </ul><ul>JohnCert.pfx </ul>
  633. 633. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 12 </ul><ul><li>Select “PKCS 12 encoded”
  634. 634. Click “Continue” </li></ul>Windows 7 x64-169-1.jpg Windows 7 x64-170.jpg <ul><li>Input the password used when you exported the key.
  635. 635. Click “OK” </li></ul><ul>© 2011 IBM Corporation </ul>
  636. 636. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 13 </ul><ul><li>Review the certificates contained in the file and select “Accept All”. </li></ul>Windows 7 x64-174.jpg <ul>© 2011 IBM Corporation </ul><ul>[email_address] </ul><ul>[email_address] </ul><ul>[email_address] </ul>
  637. 637. <ul>Appendix 3 Export a X.509 Certificate from your browser and Import into your Notes ID 14 </ul><ul><li>Input your Notes password
  638. 638. Click “Log In” </li></ul>Windows 7 x64-176.jpg Windows 7 x64-177.jpg <ul><li>Click “OK” </li></ul><ul>© 2011 IBM Corporation </ul><ul>John Doe/SpicySSL </ul>

×