A critical area in security planning is determining whether
and how to set up a certificate authority to issue Internet certificates.
A certificate authority (CA), or certifier, is a trusted administration
tool that issues and maintains digital certificates. Certificates
verify the identity of an individual, a server, or an organization,
and allow them to use SSL to communicate and to use S/MIME to exchange
mail. Certificates are stamped with the certifier's digital signature,
which assures the recipients of the certificate that the bearer of
the certificate is the entity named in the certificate.
Certifiers can also issue trusted root certificates, which allow
clients and servers with certificates created by different CAs to
communicate with one another.
Note: It's important to distinguish between Notes® certifiers and Internet certifiers.
When you install and set up the first Domino® server
in a domain, a Notes certifier
is automatically set up to issue Notes certificates
to Notes clients. These
certificates are essential for Notes clients
to authenticate with a Domino server
and for Domino servers to
authenticate one another. Hence Notes certifiers
are important even in an environment with all Web clients. An Internet
certifier, such as those discussed here, issues Internet (X.509) certificates,
which are required for secure communication over the Internet. You
set up Internet certifiers on an as-needed basis.
Choosing
the correct Internet certifier for your organization
You have several options for setting up an Internet
certifier for your organization (for the rest of this topic, all references
to certifier mean 'Internet' certifier). You can use a third-party
commercial certifier, such as VeriSign, or you can use one of the
two types of Domino Internet
certifiers. There are advantages and disadvantages involved with each
type of certifier; the choice you make should be determined by business
requirements of your organization, as well as the time and resources
available for managing the certifier.
Internet
certifiers: Domino compared
to third-party
Table 1. Internet certifiers Internet certifier type
|
Benefits
|
Domino certifier
|
- Avoid the expenses that a third-party certifier charges to issue
and renew client and server certificates.
- Many administrators are already familiar with Domino, they will not require additional training
that would be needed to use a third-party certifier.
- Easier and quicker to set up and deploy new certificates as needed.
|
Third-party certifier (VeriSign, RSA, etc.)
|
- Can simplify client configuration. If you get certificates from
a certifier that is pre-configured as trusted by the browsers you
use, it saves a step in client configuration.
- Similarly, if the certifier is pre-configured as trusted in the
mail clients of the external businesses with which you are exchanging
S/MIME mail, it will save them a configuration step.
|
Domino Internet certifiers: server-based
certification authority compared to Domino 5
certificate authority
You can choose to set up a Domino certification authority
which uses the server-based CA process, or a Domino 5 certificate authority which uses
a CA key ring.
Table 2. Domino Internet
certifiers Domino Internet
certifier type
|
Benefits
|
Server-based certification authority
|
- Administrators can manage both Notes® and
Internet certifiers through the CA process.
- Issues Internet certificates that are compliant with security
industry standards (such as X.509v3 and PKIX).
- Does not require administrator access to the certifier ID and
ID password in order to register users and servers. This allows administrators
to delegate these tasks without potentially compromising the certifier.
- Supports the PKIX registration authority (RA) role, which allows
administrators to delegate the certificate approval/denial process.
- Issues certificate revocation lists (CRLs), which contain information
about revoked or expired Internet certificates.
- Required if you plan to use the Web Administrator client to register Notes users.
|
Domino 5
certificate authority
|
- Provides a simple means by which to set up an Internet certifier
for testing or demonstration purposes.
|
Using
both types of Domino Internet
CAs in a domain
It is possible to have both types of certifiers
-- CA process and CA key ring -- in a domain. However, you must be
careful not to have one certifier that uses both a key ring and the
CA process to issue Internet certificates. A CA process-enabled certifier
tracks the certificates that it issues in an Issued Certificate List,
a database accessible to all servers in a domain. On the other hand,
a key-ring-style certifier creates logs on whatever workstation on
which it is used, so there is no centralized list of issued certificates
(just multiple partial lists). Therefore, any certificates issued
using the CA process won't be recognized by a CA key ring, just as
any certificates that were created using a CA key ring file won't
be recognized by the CA process.
This is a problem for Internet
certifiers especially, because it is possible to revoke Internet certificates
in server-based certification authorities. To revoke an Internet certificate,
however, you must select it in the ICL. If the certificate was initially
issued using a key ring, it won't appear in the ICL, so it cannot
be revoked.
Therefore, it is strongly advised that you choose
one way to operate -- CA process or CA key ring -- for each certifier.