Configure Lotus Domino to use a third-party ca-Microsoft Windows ca

Introduction:This article describes how to configure a digital certificate provided by a third-party CA in Lotus Domino for SSL login on the Domino Web page, and how to use a third-party CA digital certificate for signature and encryption when sending and receiving Internet mail. Taking windows Ca as an example, the whole process of certificate application, registration, and use is described.

Label of this article:Security and Configuration

Mark this article!

Release date:April 14, 2011
Level:Intermediate
Access status1482 views
Suggestion: 0 (Add Comment)

Average score (0 in total)

 

Preface

What is ca?

Ca is the abbreviation of certificate authority, that is, the certification authority. It provides services such as issuance, management, and cancellation of digital certificates. The certification authority places its public key in the root certificate and publishes it to the Internet to prove the server and personal certificate issued by the Authority. Use digital certificates on the Internet for identity authentication, digital signatures, digital encryption, and other operations to ensure information security.

Domino Security Mechanism

Authentication mechanisms are also required in Lotus Domino/Notes to ensure the identity and information security of servers and individual users. Different from CA on the internet, each server and individual of Domino has a unique ID file, and all these id files are issued by a root-certifier ID. This root is the last level of the Notes hierarchy name. Use the ID file in Domino to complete email encryption and decryption and identity authentication.

Why use a third-party ca?

To enable Domino users to ensure the correctness of identity authentication and the security of information dissemination on the Internet outside the notes world, CA is required to issue digital certificates that comply with Internet standards. Lotus Domino also has the CA Service, so you can configure the Domino server as a CA and use the digital certificate issued by the domino Ca or SSL, or perform Internet Mail signature, encryption, and other operations.

As mentioned above, there is an independent certification authority on the Internet. Common trusted CA root certificates have been loaded into common browsers and servers. Therefore, you can configure Domino to use a third-party ca. This article takes Certificate Authority on Windows Server 2003 as an example to allow readers to understand the entire process of applying for server certificates and personal certificates from a third-party ca while using Domino. This article describes how to configure the use of the digital certificate provided by a third-party CA in Domino for SSL login to the Domino web page, and use the third-party CA digital certificate for signature and encryption when sending and receiving Internet mail.

Back to Top

Part 1: Apply for a server certificate for Domino

1. Create a key ring file in Domino

The key ring file is saved with a key pair, that is, the public key and private key. On the domino Administrator client, open the database server certificate admin (certsrr. nsf) and select "1. Create key ring" on the right ". 1.

Figure 1. Create a key ring

Enter necessary information in the form and click "create key ring ". Note that the common name should be correctly entered as the server host name, which will be used in subsequent steps. After the key ring is created, it is saved in the notes data directory. The default name is Keyfile. Kyr.

2. Submit the server certificate application using Domino

Domino needs to generate a server certificate application and provide it to a third-party ca. Still in the database server certificate admin, select "2. Create certificate request ". Click the button in the form that appears, and the certificate request will be generated. The content is the part between the in and end rows. 2.

Figure 2. Create a Certificate Application

Copy the application content, including begin to the end row to the clipboard. Paste it to a third-party CA Web page form.

3. Apply for a server certificate from Windows ca

Open the windows CA Web site homepage http: // <windowscahost>/certsrv. Click request a certificate to the next page, click Advanced Certificate Request to the next page, and click submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, A certificate request form is displayed. Paste the application content in the previous step in "saved request" and click Submit to submit the request. 3.

Figure 3. submit a certificate application

4. Approve Certificate Application in Windows ca

Log on to the Windows Server and open Certification Authority (CA) from adminitrative tools ). In Ca, open the left node "pending requests" and select the submitted request in the right view. Right-click all tasks> issue.

The certificate issued by the CA is actually signed by the CA's public key, so it can prove the authority of the certificate.

5. Download the server certificate and Windows CA root certificate

Return to the Windows CA Web site homepage, select view the status of a pending certificate request to the next page, select the certificate request submitted in the previous step, and select Base 64 encoded on the next page to download the certificate.

Go back to the Windows CA Web site homepage and select download a CA certificate. In the form, select encoding method as Base 64 and click Download CA certificate to download the CA root certificate and save it to your local device. The subsequent steps will be used.

6. Install the Trusted Root Certificate to the domino key ring

Before installing the server certificate to the key ring, you must first install the CA's trusted root certificate. Some CAs may have intermediate certificates. Therefore, after installing the root certificate, you must install the intermediate certificate before installing the server certificate. In this way, the source and authority of the server certificate can be proved.

By default, domino has loaded common CA root certificates such as Verisign and entrust. You can view the installed trust root in the database server certificate admin. You only need to select view & edit key rings on the left, as shown in figure 4.

Figure 4. Browse the key ring list

This document uses Windows CA for testing. Therefore, the Ca trust Root is not included in Domino and needs to be installed following the steps below.

In the database server certificate admin, select create key rings & certificates on the left side, and select "3. install Trusted Root Certificate into key ring ". In the subsequent form, select the key ring file name and the path and file name of the CA root certificate file, that is, the root certificate file downloaded from the Windows CA Web site in the previous step. 5.

Figure 5. Install a trusted root certificate

After the installation is complete, select the correct key ring file as shown in Figure 4.

7. Install the server certificate to the key ring

Next, we will download the local server certificate file from Step 5 to the domino key ring. In the database server certificate admin, select "4. Install certificate into key ring" and select the correct file name in the form that appears later. 6.

Figure 6. Install a certificate for the key ring

Back to Top

Part 2: Configure Domino SSL

Copy the key ring file (default Keyfile. Kyr and Keyfile. Something) stored in the local data directory of the Notes client to the data directory on the Domino server. And Update Server document or Internet site document to enable SSL. 7.

Figure 7. server documentation

Make sure that you enter the correct key ring file name without an absolute path. Enable the SSL port on the web page. Optional configuration: In authentication options, Set client certificate to yes, and name & password to No. You can choose not to enter the password in the browser where the personal certificate is installed, you can log on to the Domino Web site with only a personal certificate.

Restart the Domino HTTP service. On the Domino server console, run the "Tell HTTP restart" command ".

Back to Top

Part 3: apply for a personal digital certificate

1. Install the CA root certificate

Install the root certificate of the CA on the browser that applies for the personal certificate. You can open the root certificate file and click "Install certificate. Alternatively, visit the Windows CA Web site homepage http: // <windowscahost>/certsrv, select download a CA certificate, and click Install this CA certificate chain on the next page.

2. Apply for a personal digital certificate

Return to the CA Web site homepage, select request a certificate to the next page, and select Web browser certificate. Enter necessary information in the form. 8.

Figure 8. Apply a personal digital certificate

After submitting the request, go to the Windows CA to approve the request, as shown in step 4th of the first part.

Install the personal certificate in the browser used in the previous application. On the CA Web page, select view the status of a pending certificate request and install it as required on the webpage.

If the browser is Microsoft IE, you can view the Certificate in Internet Options. Select the "content" Page and click "certificate". On the personal page, you can see that the personal certificate has been successfully installed in the browser. 9.

Figure 9. Internet Options

3. register the personal certificate to the Domino Directory.

Create a new database using the domino certificate publication requests template in Domino. Open the browser that submitted and installed the personal certificate before, and access the database: https: // <dominohost>/domcertpubreq. nsf. Domcertpubreq. nsf is the name of the created Domino certificate publication requests database file.

Note that HTTPS is used in the address.

The browser will automatically prompt you to select the user's personal certificate, click the personal certificate to be registered, OK.

Enter the user name and other information for the browser in the form that appears. Click the submit Certificate button to submit. 10.

Figure 10. Register a browser Certificate

Next, open the certificate publication requests database in notes and find submitted certificates> waiting for approval. Double-click the request you just submitted, select a user in the domino address book in the form, and click "accept", 11.

Figure 11. Accept Application

The Domino admin process automatically adds the certificate to the user person document in the selected Domino address book. Wait a moment and the user will receive an email notification. Now, you can see that Internet Certificate has been added to the person document. 12.

Figure 12. Add the certificate to the user person document

Back to Top

Part 4: Domino uses a third-party CA digital certificate to send and receive smime mail.

When applying for a Windows ca personal digital certificate, the Web browser certificate is selected. Therefore, this certificate can only be used for client login identity authentication. As mentioned in the second part, you can configure to log on to the Domino Web site with only a certificate.

For sending and receiving smime mail, that is, using a digital certificate signature to encrypt Internet mail, the steps are similar to the third part, but the type of certificate application must be e-mail protection certificate. Some CAS also put the identity authentication and email encryption functions in the same digital certificate, which is much simpler.

The following describes how to enable Domino users to send and receive smime mails using a third-party CA digital certificate. The author has applied for e-mail protection certificate for users in two domino address books. For more information, see the third part of this article.

Take the Microsoft Outlook Express client mail software as an example. Select the correct personal certificate in the account information to send the smime mail. 13.

Figure 13. Select a personal certificate

Use outlook to send a signed email to another Domino user, who opens the mailbox from notes, you can see that the status bar shows the signature information "signed by zhangsan zhangsan@ibmtest.com on XXXX, according Si Li/IBM ", which indicates that the email has been signed by the sender's private key.

The recipient who receives the signed email also receives the public key from the recipient. Both notes and outlook will automatically save the email. Therefore, when the recipient replies to the email or sends a new email to the sender, you can choose to use the other party's public key for encryption. To send and receive smime mail.

References

Learning

• ViewArticleHow to Set Up SSL using a third-party Certificate Authority (CA) to learn about possible problems and solutions during SSL configuration.

• View the article what is a trusted root to learn about the trust Root.
• Visit the developerworks Lotus area.
• Stay tuned to developerworks technical events and network broadcasts.

Discussion

• Add to developerworks ChineseCommunityThe developerworks community is a professional social networking community that provides community functions such as blogs, bookmarks, wiki, groups, contacts, sharing and collaboration for IT professionals around the world.

About the author

Zhao Lihua is a software engineer at the IBM China Software Development Lab. I have been engaged in Lotus Domino testing for many years.