SECURITY


Creating the Certificate Requests database
Each Internet certifier you create requires a Certificate Requests database (CERTREQ.NSF) to manage the server keyring file and allow users to request client certificates from the browser or through email. This database stores active certificate and revocation requests that have been submitted to the Administration Process for processing. Using a browser-based interface, servers and clients request certificates and pick up issued certificates.

You can store Certificate Requests databases on any server in the domain, including servers that reside outside of a network firewall.

For more information on using the Certificate Requests database to process certificate requests, see the topic "SSL and S/MIME for clients."

To create the Certificate Requests database

1. Choose File - Application - New and select the server to store the Certificate Requests database.

2. Enter the database title and file name -- for example: Certificate Requests and certreq.nsf.

3. Choose the Certificate Requests template (CERTREQ.NTF).

4. Click OK. When the Certificate Requests database has been created, it will open and the "About..." document will appear.

5. Close the "About..." document, and the Database Configuration form will appear.

6. In the Database Administration section, complete these fields:
FieldAction
Supported CADo the following:
  1. In the Server field, enter the name of the server that hosts the Internet certifier.
  2. In the Certifier field, enter the name of the Internet certifier to associate with the Certificate Request database.
Supported certificate typesChoose one:
  • Client certificates only -- Select this option if the certifier will issue client Internet certificates. Do not select this option if you want to create a server key ring for SSL. If you select this option, you must customize client requests.
  • Server certificates only -- Select this if the certifier will issue server Internet certificates. If you select this option, you must customize server requests.
  • Both client and server certificates -- Select this if the certifier will issue both client and server Internet certificates. If you select this option, then you need to customize both server and client requests.
7. (Optional) In the Client Request Customization section, complete these fields:
FieldAction
Validity periodEnter the number of years that client requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.
Key usagesChoose the default key usage that will be submitted in client certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for a client S/MIME certificate.
Extended key usagesChoose the default extended key usage that will be submitted in client certificate requests generated from this database. Default settings are Client Authentication and Email Protection.
8. (Optional) In the Server Request Customization section, complete these fields:
FieldAction
Validity periodEnter the number of years that server requests generated with this database will specify as a validity period, beginning at the time of request submission. Default is 1 year.
Key usagesChoose the default key usage that will be submitted in server certificate requests generated from this database. Default settings are Key Encipherment and Digital Signature, which are sufficient for an SSL server certificate.
Extended key usagesThe default extended key usage that will be submitted in server certificate requests generated from this database. Default is Server Authentication.
9. For "Processing method," choose the method by which requests are submitted to the Administration Process:


10. For "Mail notification," choose whether or not to send e-mail notification when a certificate request has been processed by the CA. 11. Click Save & Close.

Related topics