Configuring Domino SSL Certificates and S/MIME Secure Email Messaging

6. Learn what a Wildcard certificate is and how it potentially saves your organization money and maintenance hassle.

7. Learn the difference between self-certifying and using a 3 rd Party certificate authority and why you'd want to pay for the 3 rd Party.

8. Learn how to send and receive encrypted email for secure communications.

11. You have “Create Database” privileges in your Domino environment.

12. You have at least Editor access to the Domino Directory with NetCreator and UserCreator roles.

18. Q & A

28. Q & A

31. Public Key Infrastructure (PKI)

32. Certificate Authority (CA)

33. Certificate Signing Request (CSR)

39. The server returns “Use this algorithm” it's random number and digital certificate.

40. The browser verifies that it trust's the server's certificate and extracts the server's public key. It then uses that public key to encrypt a pre-master key and sends it to the server.

43. The base of a PKI is the Certificate Authority (CA) that issues digital certificates to authenticate the identity of servers and individuals.

44. PKIs are based on the public/private key pair of the CA's Root Key.

45. The subject's public key, known to everyone, is used to encrypt data.

46. The private or secret key is used to decrypt received data.

47. If the private key of the CA's Root Key is ever compromised, all the digital certificates created by that CA are vulnerable.

52. Most browsers already trust these authorities, so end user configuration is not required.

53. If the certifier is pre-configured as trusted in the email system, external mail client configuration is reduced.

54. Overall, the cost of supporting a 3 rd Party System can be less than that of a Closed System.

56. Go Daddy has grown rapidly over the last few years due to their aggressive pricing model and holds the number two position per netcraft.com

64. X.509 is an International Telecommunications Union Transmission (ITU-T) standard for public key infrastructure (PKI). It specifies standard formats for public key certificates, certificate validation and certificate revocation lists.

65. Digital Certificates are issued by a CA after the CA has verified that the public key belongs to a specific subject.

66. A Digital Certificate contains both CA and subject information including the subject's public key. The CA signs the certificate by creating a digest of all the fields in the certificate and then encrypts the digest with it's private key.

67. The encrypted digest is called a “digital signature”, and when placed into the X.509 certificate, the certificate is said to be signed.

72. Q & A

75. Create a KeyRing file

76. Creating a Certificate Signing Request (CSR)

77. Retrieve SSL Certificate from Vendor

78. Trusted Root and Intermediate Certificates

79. Install Server SSL Certificate

84. SSL Certificate Warranty

85. Website Security Seals

88. Creating a Certificate Signing Request (CSR)

89. Retrieve SSL Certificate from Vendor

90. Trusted Root and Intermediate Certificates

91. Install Server SSL Certificate

95. Open

97. Select “Server Certificate Admin” (certsrv.nsf)

98. Click “Open” Certificate Admin – 3. Click Open

101. Input and confirm the password.

104. Given the advances in computing power, some believe that it will be possible to break a 1024-bit key in the near future.

105. Some 3 rd Party CAs will not accept a CSR with less than 2048 key size any longer, and others are currently in the process of phasing out their lower sized certificates.

106. Keep in mind this could cause issues when you try to renew existing certificates of lower key strength, in which case you will be required to create a new Key Ring file and CSR for your servers.

110. Organization and Optional fields

111. NO ABBREVIATIONS in “State or Province” field,

112. 2 character country code

115. Write down the password of the KeyRing.kyr file, put it in a “sealed envelope” and store it in a safe place. You are going to need the password again when it comes time to renew the certificate.

116. If you are getting a single server certificate the Common Name is the URL name to which the server responds. A simple 1 character mistake will cause an invalid name prompt when the certificate is presented to the browser.

117. The Organization (and optional Organization Unit) fields must be completed as accurately as possible with the legal name of the company.

118. Use the City and State of the Organization’s address and NO ABBREVIATIONS in the State or Province name.

119. Enter the standard 2 Character Country code for your country.

126. Retrieve SSL Certificate from Vendor

127. Trusted Root and Intermediate Certificates

128. Install Server SSL Certificate

133. Select “Paste into form on CA's site”

144. Create a KeyRing file

146. Trusted Root and Intermediate Certificates

147. Install Server SSL Certificate

151. Create a KeyRing file

152. Creating a Certificate Signing Request (CSR)

154. Install Server SSL Certificate

157. If your CA is not included in the list, their Trusted Root Certificate will need to be imported.

158. Note: There is a VeriSign Intermediate CA included. It may or may not be the correct one for your certificate.

159. Many CAs will now require an Intermediate Certificate as well as their Trusted Root.

162. If they are not, include follow the vendor's instructions and download them.

168. Type the Certificate Label that will appear when you choose “View & Edit Key Ring” (why I keep it open on the desktop).

178. Create a KeyRing file

179. Creating a Certificate Signing Request (CSR)

180. Retrieve SSL Certificate from Vendor

185. Select File or Clipboard as Certificate Source as appropriate.

192. Create a KeyRing file

193. Creating a Certificate Signing Request (CSR)

194. Retrieve SSL Certificate from Vendor

195. Trusted Root and Intermediate Certificates

201. Server – Current Server Document

202. Edit Server

207. Choose No for the Client certificate option (we haven’t issued any client certificates)

212. Enter the URL for your server

215. The Browser does not display any error prompts.

219. Q & A

222. When we browse to hotchilies.spicyssl.com everything is fine.

223. But when we browse to inotes.spicyssl.com

224. We get: “There is a problem with this website’s security certificate”.

228. hotchilies.spicyssl.com

229. inotes.spicyssl.com

230. traveler.spicyssl.com

237. Create a KeyRing file*

238. Creating a Certificate Signing Request (CSR)

239. Retrieve SSL Certificate from Vendor

240. Trusted Root and Intermediate Certificates

241. Install Server SSL Certificate

244. Create a new KeyRing.kyr file

249. Retrieve SSL Certificate from Vendor

250. Trusted Root and Intermediate Certificates

251. Install Server SSL Certificate

255. Basics tab

256. Enable “Load Internet configurations from Servernternet Sites documents

259. Configuration Tab

260. Web

261. Internet Sites

262. Add Internet Site

265. Organization

269. Require Name & Password for SSL Authentication

278. Q & A

281. It allows you to off-load the tasks of Notes ID creation and Certificate issuing to others without giving them your certifier ids and passwords.

282. Internet certificate request are processed more easily.

285. Managing the CA process

286. Add an Internet Certifier to the CA process

287. Create a Certificate Request database for the Internet Certifier

288. Create a KeyRing.kyr file

289. Set up SSL on the Domino server

292. Tools

293. Certification

301. It is suggested that you leave the default path and name of the ICL database.

304. Only a CAA can edit the “Password recovery” information in a certifier.

305. The CAA can also add and edit the roles assigned to others.

306. A CAA must have at least “Editor” access to the Domino Directory.

308. Can revoke certificates that can no longer be trusted.

317. Add an Internet Certifier to the CA process

318. Create a Certificate Request database for the Internet Certifier

319. Create a KeyRing.kyr file

320. Set up SSL on the Domino server

323. tell ca refresh – causes the CA task to reload the certifiers list (certifiers will need to be unlocked or activated again

324. tell ca quit – stops the CA task

325. tell ca stat – displays summary information about the certifiers including it’s number

326. tell ca activate certifier number <password> - activates a specific certifier

327. tell ca unlock <pathile.id> <password> - unlocks all certifiers the id protects

331. Q & A

335. Create a Certificate Request database for the Internet Certifier

336. Create a KeyRing.kyr file

337. Set up SSL on the Domino server

340. Tools

341. Registration

346. Again, no abbreviations in the State or Province field.

347. You can see the Certifier Name being built as you fill in the various fields.

350. By clicking “Detail” You will see the location for the CRL will be LDAP on the Domino server

356. Key encipherment – used for data encryption protocol in SSL and S/MIME

357. Key agreement – used when sender and receiver need to derive or agree on a key without using encryption, once agreed, this key is then used to encrypt data

358. Certificate signing – used for verifying a signature on public key certificates

359. CRL signing – used for verifying a signature on Certificate Revocation List

360. Encipher only – must be used in conjunction with Key Agreement – the subject public key may only be used for encrypting data

364. SSL Server and S/MIME Encryption require “Key Encipherment”.

368. Set ID File path and name.

369. Enter the password.

372. Managing the CA process

374. Create a KeyRing.kyr file

375. Set up SSL on the Domino server

379. File Name

380. Database Title

381. Choose Template server

382. Show advanced templates

383. Select “Certificate Requests (8)” certreq.ntf

388. We are going to use this Certificate Request database for both Client and Server Certificates.

389. Set the Validity Period as deisred for Client Requests.

394. Again the default Key and Extended Key Usages can be set as desired.

395. If you choose Automatic as the processing method, another field “Automatic Transfer Server” will appear for you to specify the server running AdminP and to which requests are to be transferred.

396. Mail completed confirmation request to the requestor “Yes or No”.

399. Managing the CA process

400. Add an Internet Certifier to the CA process

402. Set up SSL on the Domino server

405. In the “Domino Key Ring Management folder”.

410. Note the CA Certificate information we entered when we created the Internet Certifier appears as the Certificate Issuer in the “Merge Trusted Root Certificate Confirmation” dialog box.

415. Select the request.

420. Edit the request.

423. Select the document.

428. Go to the Issued/Rejected Certificates view.

429. Open the Certificate Issued document.

434. Input the password for the KeyRing.kyr file.

435. Paste the Pickup ID into the last field.

441. Managing the CA process

442. Add an Internet Certifier to the CA process

443. Create a Certificate Request database for the Internet Certifier

447. We are going to Edit the Internet Site document we used last and replace the WildKeyRing.kyr with the DomCAKR.kyr we just created for Domino Certificate Authority.

450. Managing the CA process

451. Add an Internet Certifier to the CA process

452. Create a Certificate Request database for the Internet Certifier

453. Create a KeyRing.kyr file

462. You will be returned to the Domino CA Certificate Requests database.

467. Click “Tools”

474. Managing the CA process

475. Add an Internet Certifier to the CA process

476. Create a Certificate Request database for the Internet Certifier

477. Create a KeyRing.kyr file

478. Set up SSL on the Domino server

482. Q & A

485. The CA’s Trusted Root Certificate must be in either the Domino Directory or the client’s contact database (personal address book), however it’s much simpler for your Notes clients if it’s in the Domino Directory.

487. Or do you want to require Client Certificates in the end user’s browser for additional access control to your Domino servers? This option requires an end user to submit a request and pickup the signed certificate from the Domino Certificate Request database and then install the certificate into their browser?

491. An RA approves the request, the CA processes the request, and Domino submits an AdminP request to add the Internet Certificate to the person document in the Domino Directory. The CA emails the end user a pickup ID and then the end user installs the certificate into their browser.

495. People

500. Select “Use the CA Process”.

501. Select your Internet Certificate as the “CA configured certifier”.

509. Security

513. You have to Cross Certify and swap public keys with the other person.

514. You do this by sending each other a “Signed” email. The signature contains your public key information.

515. Each must store the other’s public key in their Contact database (Personal Address Book) by “Adding Sender to Address Book”.

519. Sign

520. OK

523. Notice that it is your ID that is doing the cross certification.

524. And the server to contain the certificate will be the “Local” names.nsf.

528. Be sure “Include X.509 certificates when encountered” is checked.

534. MIME

535. Advanced

536. Advanced Outbound Message

545. http://www.redbooks.ibm.com/abstracts/redp0046.html?Open

546. http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf (page 66)

556. The Certificate Import Wizard will launch.

559. Click “Browse”.

560. Select “Trusted Root Certification Authorities”.

568. Request a Client Certificate.

569. The CA will process the Certificate Request.

570. The CA will notify you via email that the certificate is ready for pickup.

571. Browse to the CA’s Pickup site.

572. Paste in the Pickup ID.

577. Remember – No abbreviations in State/Province field.

578. Domino defaults to a “High Grade” Key for client certificates.

579. Submit Certificate Request.

582. Pending/Submitted Request view

583. Select appropriate document(s)

586. Certificate Request view

591. Pending/Submitted view

598. Click “Pick Up Client Certificate”

602. I will be exporting and importing a VeriSign Personal Certificate in this example.

608. Select the certificate

613. Be sure to select “Include all certificates in the certification path if possible”

617. Input a file name

623. File

624. Security

625. User Security

628. Your Certificates

629. Your Internet Certificates