Configure Domino CA to support SSL

The graphic text shows you how to configure the domino CA to support SSL Some texts refer to the article "how to configure Domino CA to support SSL" on the Internet, but only obscure texts are not shown in the original text, and the text is described as translated Chinese, there is a certain personal understanding difference from the English environment in the actual configuration. In addition, some explanations are not perfect, so I will experiment on it myself and provide it in the form of text for readers to refer. The experiment platform in this article is domino7. = ===== [Guide] configure the domino CA to support functions that are available in Versions later than r4.61. the following uses R5 as an example to describe how to configure SSL (Secure Socket Layer ). The configurations of r4.6x and r6.x are basically the same. Procedure (1) configuration verification word authoritative server 1 Create verification word authoritative database 1) Click the menu "file" -- "Database" -- "new" 2) server: Select verification word authoritative server template: click "show advanced template" and select "Domino R5 verification word authority" template (cca50.ntf) Database Name: cerchloroform. NSF (this name must be used in r4.6x) 3) Click "OK" 2 Configure the verification word Authority database 1) Open the verification word Authority database, click "Verification word authority configuration" View on the left 2) Click "create verification word Authority Key File and Certificate" Key File Information on the right: key File Name: name of the file that stores the verification word authoritative key and certificate, relative to the data directory of the Administrator client. if the file is in another directory, enter the absolute path. the default value is cakey. KYR Key File Password: it is recommended to have a password of at least six characters. Confirm: re-enter password file size: key size: Select 512 or 1024 level name: provides a unique identifier of the authentication word authority, includes common name: authority name of the verification word, such as cyber ca organization: company name, such as cyber state \ Province: at least three characters, such as Beijing country: two characters country Code For example, if you click "create verification word authoritative key file" in CN, a window is displayed, showing the authoritative information of the verification word. Click "OK". 3) click "" on the right side. (For example, if the original text translation is incorrect, the authorization attribute of the verification word is configured correctly, there will be a lot of headaches in the process of applying for a server verification word later, "Type mismatch", it is terrible that, after an error, you can still generate a certificate, if you already have this error, you can reconfigure the attribute environment here, delete the server key under Notes/data/, and then perform the subsequent steps.) Configure related options and click "save close". 4) click "create server key file and Certificate" on the right side. server key file information: Key File Name: name of the file that stores the server key and certificate, relative to the data directory of the Administrator client. if the file is in another directory, enter the absolute path. the default value is Keyfile. KYR Key File Password: it is recommended to have at least six characters for password verification: re-enter password file size: key size: Select 512 verification words authoritative certificate ID: Enter verification words authoritative name, for example, cyber CA server level name: provides a unique identifier for your site, including a common name: server name, such as the "Create server key file" button, enter the password for the verification word authoritative key file and click "OK. A window is displayed, showing the server key file information. Click "OK ". (2) configuration verification word authoritative server document 1 Open the public communication record database (boiled beans note: this so-called public communication record is a famous names. NSF. In addition, you should also note that you should select the Domino Directory instead of the Notes directory, and many people will also circle it here ), select the "server" subview under the "server" view to edit the document of the CA server. 2 Click the tag "Port" -- "Internet port" -- "Web" SSL Key File Name: enter the name of the key file of the CA server, relative to the data directory of the server. if the file is in another directory, enter the absolute path. the default value is Keyfile. kyrssl port: 443ssl port status: Enable the AUTHENTICATION option: select the following authentication method as needed (client certificate, name and password, anonymous) 3 Restart the server to take effect 4 Start an HTTP server task (3) Configure the server verification word management database and apply for a certificate from the CA server for the Web Server Note: The database is automatically generated by the system. If your Web server and the CA Server are the same Domino server, the web server uses the CA server certificate. You do not need to configure this step. 1 Open the server verification word management database (certsrv. NSF), click "create key file and Certificate" View on the left (boiled bean Note: The content after this section is similar to the previous figure, so it is no longer) 2 Click "create key file" on the right. The process is as follows: "Create an authoritative key file and certificate. 3 Click "create certificate request" on the right to confirm the key file name and select the request method. There are two types: paste the key file from the CA Site and send it to the CA through e-mail. the following is an example. click "create certificate request", enter the password of the server's key file, and click "OK". In the subsequent certificate creation request window, copy all the characters in the following section to the clipboard and click "OK ". 4 Submit a certificate request to start the browser and enter http: // caservername/cerchloroform in the URL. NSF, where caservername is the name of your CA server. click "request server certificate" on the left, enter the contact information on the right, paste the information on the clipboard in step 1 to the following domain, and click "submit certificate request ". 5 Extract the verification word authority as the Trusted Root Certificate to start the browser and enter http: // caservername/cerchloroform in the URL. NSF, where caservername is the name of your CA server. click "Accept this authority in your server" on the left, and copy the bottom section to the clipboard on the right of the screen. 6 Install the verification word authority certificate in the server key file as the Trusted Root Certificate 1) Open the server verification word management database (certsrv. NSF), click "create key file and Certificate" View on the left side 2) Click "install Trusted Root Certificate in key file" on the right side to confirm the key file name certificate ID: enter the authority name of the verification word, for example, cyber CA certificate Source: select "Clipboard" to paste the information on the clipboard in step 1 to the following domain, click "merge Trusted Root Certificates into the server key file" and enter the authentication authority password. Click "OK" to view the merged information. Click "OK" and click "OK ". 7 The Authority Administrator agrees to the certificate request. 1) Open the Authority database and click "server certificate request" on the left. 2) the certificate request document submitted by the Web server appears on the right, open this document to modify the term of use, remember to extract the ID, click "agree" button to enter the authentication word authority password, click "OK" button to enter the host name of the site, click "OK" button 8 Extract the server certificate and start the browser. Enter http: // caservername/cerchloroform in the URL. NSF, where caservername is the name of your CA server. click "extract server certificate" on the left, enter the extracted ID you noted down on the right, and click "extract signature certificate" to copy all the characters in the following section to the clipboard. 9 Install the signed certificate in the server key file. 1) Open the server verification word management database (certsrv. NSF), click "create key file and Certificate" View on the left side 2) Click "Install Certificate in key file" on the right side to confirm the Key File Name Certificate Source: select "Clipboard" and paste the information on the clipboard in step 1 to the following domain. Click "merge certificate into server key file" and enter the verification word authority password, click "OK" to view the merging information. Click "OK" and click "OK ". 10 Configure the Web server documentation 1) Open the public communication record database, select the "server" subview under the "server" view, and edit the Web server documentation 2) click the tag "Port" -- "Internet port" -- "Web" SSL Key File Name: Enter the key file name of the web server, relative to the data directory of the server. if the file is in another directory, enter the absolute path. the default value is Keyfile. kyrssl port: 443ssl port status: Enable the AUTHENTICATION option: select the following authentication method as needed (client certificate, name and password, anonymous) 3) restart the server to take effect 4) Start the HTTP server task (4) configure the browser to apply for a certificate from the CA Server 1 The browser trusts the verification word to start the browser. Enter http: // caservername/cerchloroform in the URL. NSF, where caservername is the name of your CA server. click "Accept this authority in your browser" on the left, and click "Accept this authority in your browser" in the window on the right. Click "Next" five times in a row, enter the authority name of the verification word, such as cyber Ca, and click "finish" (boiled beans Note: It seems that I have not seen any options for this step. Download it directly) 2 The browser submits a certificate request to start the browser. Enter http: // caservername/cerchloroform in the URL. NSF, where caservername is the name of your CA server. click "request client certificate" on the left, enter the certificate information and contact information in the window on the right, set the encryption length to 512, and click "submit certificate request" in the Private Key Generation window, click "OK" to set the communicator password and click "OK ". 3 The Authority Administrator agrees to the certificate request. 1) Open the Authority database and click "client certificate request" on the left. 2) the certificate request document submitted by the client appears on the right, open this document and select "register certificate user name" in the Public Address Book: select the user who uses the certificate from the address book to modify the validity period, remember to extract the ID, click "agree" to enter the Authority password for the verification word, and click "OK ". 4 Extract the client certificate and start the browser. Enter http: // caservername/cerchloroform in the URL. NSF, where caservername is the name of your CA server. click "extract client certificate" on the left, enter the extracted ID you noted down on the right, and click "extract signature certificate" and click "Accept certificate ". 5 (Optional) if you are using a third-party ca, click "register client certificate" on the left ". (boiled beans Note: Access to SSL will fail because Keyfile is in the notes \ data directory rather than Domino \ data directory, copy all Keyfile files to Domino \ data .) After the configuration is complete, you can access the Web server through https: // in the URL. At this point, this tutorial will come to an end. In this article, the Ca, server, and Web used for testing are all on one server. If they are different, there may be some problems. I think we should stick to the principle-first principle when configuring a large application system such as Domino, rather than simply relying on the gourd painting, in this way, we can remain unchanged in the complex network environment and become a qualified integration worker.