Each Internet certifier you create requires a Certificate
Requests database (CERTREQ.NSF) to manage the
server keyring file and allow users to request client certificates
from the browser or through email. This database stores active certificate
and revocation requests that have been submitted to the Administration
Process for processing. Using a browser-based interface, servers and
clients request certificates and pick up issued certificates.
About this task
You can store Certificate Requests databases on any server
in the domain, including servers that reside outside of a network
firewall.
For more information on using the Certificate Requests
database to process certificate requests, see the related information.
Procedure
- Choose and select the server to
store the Certificate Requests database.
- Enter the database title, for example Certificate
Requests.
- Enter the file name, for example certreq.nsf
- Choose the Certificate Requests template (CERTREQ.NTF).
- Click OK. When the Certificate Requests
database has been created, it will open and the "About..." document
will appear.
- Close the "About..." document, and the Database Configuration
form will appear.
- In the Database Administration section,
complete these fields:
Table 1. Database Administration
section Field
|
Action
|
Supported CA
|
Do the following:
- In the Server field, enter the name of
the server that hosts the Internet certifier.
- In the Certifier field, enter the name
of the Internet certifier to associate with the Certificate Request
database.
|
Supported certificate types
|
Choose one:
- Client certificates only -- Select this option if the certifier
will issue client Internet certificates. Do not select this option
if you want to create a server key ring for SSL. If you select this
option, you must customize client requests.
- Server certificates only -- Select this if the certifier will
issue server Internet certificates. If you select this option, you
must customize server requests.
- Both client and server certificates -- Select this if the certifier
will issue both client and server Internet certificates. If you select
this option, then you need to customize both server and client requests.
|
- Optional: In the Client Request
Customization section, complete these fields:
Table 2. Client Request Customization section Field
|
Action
|
Validity period
|
Enter the number of years that client requests
generated with this database will specify as a validity period, beginning
at the time of request submission. Default is 1 year.
|
Key usages
|
Choose the default key usage that will be submitted
in client certificate requests generated from this database. Default
settings are Key Encipherment and Digital Signature, which are sufficient
for a client S/MIME certificate.
|
Extended key usages
|
Choose the default extended key usage that
will be submitted in client certificate requests generated from this
database. Default settings are Client Authentication and Email Protection.
|
- Optional: In the Server Request
Customization section, complete these fields:
Table 3. Server Request Customization fields Field
|
Action
|
Validity period
|
Enter the number of years that server requests
generated with this database will specify as a validity period, beginning
at the time of request submission. Default is 1 year.
|
Key usages
|
Choose the default key usage that will be submitted
in server certificate requests generated from this database. Default
settings are Key Encipherment and Digital Signature, which are sufficient
for an SSL server certificate.
|
Extended key usages
|
The default extended key usage that will be
submitted in server certificate requests generated from this database.
Default is Server Authentication.
|
- For Processing method, choose the
method by which requests are submitted to the Administration Process:
- Manual (default) -- Choose this if you want an administrator to
review requests submitted to the Certificate Requests to approve or
deny each request individually before it is submitted to the Administration
Request database (admin4.nsf) for further processing.
- Automatic -- Choose this to have requests submitted to the Administration
Request database processed without administrator intervention. Requests
will be approved or denied according to the certificate policy. If
this method is chose, the Automatic Transfer Server field
appears, in which you need to specify the server running the administration
process and to which certificate requests will automatically be transferred.
Note: If the Automatic method is chosen, the administrator (signer
of the agent) must be listed in the group of users who can run unrestricted
methods and operations on the server. This can be set on the Security
tab in the Server document. There must also be a replica of the Certificate
Requests database on the specified transfer server.
- For Mail notification, choose whether
or not to send e-mail notification when a certificate request has
been processed by the CA.
- Yes (default) -- Choose this if you want the requester to
be notified by e-mail when a certificate request has been processed
by the CA.
- No -- Choose this if you do not want the requester to be notified
by e-mail when a certificate request has been processed by the CA.
- Click Save & Close.