SECURITY


Administering a Domino CA
There are a number of tasks associated with managing a certifier. If you implement a certifier that uses the CA process, you can delegate IBM® Lotus® Notes® and Internet certificate request approval and denial to other administrators, each of whom acts as a registration authority.

Note Many of the manual tasks associated with managing a CA prior to IBM® Lotus® Domino® 6 are now automated when you use the CA process.

Domino certificate authority administrator tasks

The Lotus Domino certificate authority administrator (CAA) is responsible for these tasks:


The CAA must have at least Editor access to the master Lotus Domino Directory for the domain.

As a best practice, designate at least two CAAs for each certifier. You then have a backup if one leaves the organization.

Note By default, the administrator who creates a certifier is automatically designated as both a CAA and an RA for that certifier. When you create additional CAAs, they must be assigned the RA role in order to approve or deny a certificate request.

Domino Registration Authority administrator tasks

A registration authority (RA) administrator approves or denies Lotus Notes or Internet certificate requests, and, if necessary, revokes Internet certificates. While a CA administrator can also be a registration authority, the main advantage of having a separate RA role is to offload these tasks from the Lotus Domino and/or CA administrator. Moreover, the Lotus Domino administrator can establish one or more RAs for each certifier enabled for the CA process.

An RA should approve only those requests that will be accepted by the certifier. The CA Configuration and Certificate Profile documents, stored in the CA's ICL database, describes what is acceptable. A current valid copy of the document is also stored with the certifier document as an attachment.

Lotus Domino administrators who register Lotus Notes users should also be listed as RAs for the Lotus Notes certifier, to minimize the steps that are needed to have a certificate issued by the certifier.

If you are using the Web Administrator client, you need to set up a server-based certification authority to register Lotus Notes users. The Web administrator, as well as the server on which the Web Administrator database resides, must be listed as an RA for that certifier.

The Lotus Domino Registration Authority (RA) administrator is responsible for these tasks:


Note If you need RAs to be able to register users, they must have at least Author access to the master Lotus Domino Directory for the domain, with both the privilege "Create document" and role "User Creator" enabled. This is the same access required by a Lotus Domino administrator to register Lotus Notes users.

Related topics