39. The server returns “Use this algorithm” it's random number and digital certificate.
40. The browser verifies that it trust's the server's certificate and extracts the server's public key. It then uses that public key to encrypt a pre-master key and sends it to the server.
41.
42.
43. The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.
44. PKIs are based on the public/private key pair of the CA's Root Key.
45. The subject's public key, known to everyone, is used to encrypt data.
46. The private or secret key is used to decrypt received data.
47. If the private key of the CA's Root Key is ever compromised, all the digital certificates created by that CA are vulnerable.
48.
49.
50.
51.
52. Most browsers already trust these authorities, so end user configuration is not required.
53. If the certifier is pre-configured as trusted in the email system, external mail client configuration is reduced.
54. Overall, the cost of supporting a 3 rd Party System can be less than that of a Closed System.
55.
56. Go Daddy has grown rapidly over the last few years due to their aggressive pricing model and holds the number two position per netcraft.com
57.
58.
59.
60.
61.
62.
63.
64. X.509 is an International Telecommunications Union Transmission (ITU-T) standard for public key infrastructure (PKI). It specifies standard formats for public key certificates, certificate validation and certificate revocation lists.
65. Digital Certificates are issued by a CA after the CA has verified that the public key belongs to a specific subject.
66. A Digital Certificate contains both CA and subject information including the subject's public key. The CA signs the certificate by creating a digest of all the fields in the certificate and then encrypts the digest with it's private key.
67. The encrypted digest is called a “digital signature”, and when placed into the X.509 certificate, the certificate is said to be signed.
104. Given the advances in computing power, some believe that it will be possible to break a 1024-bit key in the near future.
105. Some 3 rd Party CAs will not accept a CSR with less than 2048 key size any longer, and others are currently in the process of phasing out their lower sized certificates.
106. Keep in mind this could cause issues when you try to renew existing certificates of lower key strength, in which case you will be required to create a new Key Ring file and CSR for your servers.
115. Write down the password of the KeyRing.kyr file, put it in a “sealed envelope” and store it in a safe place. You are going to need the password again when it comes time to renew the certificate.
116. If you are getting a single server certificate the Common Name is the URL name to which the server responds. A simple 1 character mistake will cause an invalid name prompt when the certificate is presented to the browser.
117. The Organization (and optional Organization Unit) fields must be completed as accurately as possible with the legal name of the company.
118. Use the City and State of the Organization’s address and NO ABBREVIATIONS in the State or Province name.
357. Key agreement – used when sender and receiver need to derive or agree on a key without using encryption, once agreed, this key is then used to encrypt data
394. Again the default Key and Extended Key Usages can be set as desired.
395. If you choose Automatic as the processing method, another field “Automatic Transfer Server” will appear for you to specify the server running AdminP and to which requests are to be transferred.
410. Note the CA Certificate information we entered when we created the Internet Certifier appears as the Certificate Issuer in the “Merge Trusted Root Certificate Confirmation” dialog box.
447. We are going to Edit the Internet Site document we used last and replace the WildKeyRing.kyr with the DomCAKR.kyr we just created for Domino Certificate Authority.
485. The CA’s Trusted Root Certificate must be in either the Domino Directory or the client’s contact database (personal address book), however it’s much simpler for your Notes clients if it’s in the Domino Directory.
486.
487. Or do you want to require Client Certificates in the end user’s browser for additional access control to your Domino servers? This option requires an end user to submit a request and pickup the signed certificate from the Domino Certificate Request database and then install the certificate into their browser?
488.
489.
490.
491. An RA approves the request, the CA processes the request, and Domino submits an AdminP request to add the Internet Certificate to the person document in the Domino Directory. The CA emails the end user a pickup ID and then the end user installs the certificate into their browser.