Lotus Domino Administrator 8.5 Help - Recertifying a certifier ID or a user ID

USER AND SERVER CONFIGURATION

Recertifying a certifier ID or a user ID
Use this procedure to recertify a certifier ID or a user ID with the same certifier ID that was used previously to certify the certifier ID or user ID. Certifier IDs are used to certify other certifiers, servers, and users. A certifier ID issues a certificate to another user, server or certifier that is on the hierarchical level immediately below the certifier. For example, in the Organizational Unit Sales/NYC/ACME, NYC is the certifier for Sales; ACME is the certifier for NYC. The Organization certifier, in this case ACME, can certify itself.

You can also recertify a user ID with a different certifier ID, that is, a certifier ID other than the one used to previously certify the user ID. Although recertifying a user ID with a different certifier is allowed, it is not recommended that you do so using this procedure. In this case, you are renaming the user, which is a very complex process involving changes to ACLs for various databases, changes to lists of group members, and other related entries. Recertifying a user ID with a different certifier does not invoke the Administration Process, so all changes need to be made manually. To recertify a user with a different certifier ID, we recommend using the Rename tool, and requesting a move to a new certifier.

When you recertify an ID you can:

Provide a new expiration date for certificates about to expire
Add a new alternate name to the certifier ID
Change the minimum password quality

Types of IDs you can recertify

You can recertify any of the following types of IDs:

Organizational unit
Server
User
Organization certifier (when it is used to certify itself)

To recertify a certifier ID or a user ID

1. From the IBM® Lotus® Domino® Administrator, click Configuration.

2. From the tools pane, click Certification - Certify.

3. In the "Choose a Certifier" dialog box, make the following selections:

Field Action

Server Do one of these:

If you are using the Lotus Domino server-based CA, choose the server that is used to access the Domino Directory to look up the list of certifiers.
If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors. This is also the server on which CERTLOG.NSF is updated.

Supply certifier ID and password Choose the certifier ID that issued the original certificate. For example, to recertify the certifier ID for /Sales/NYC/ACME, choose the /NYC/ACME certifier ID, which is NYC.ID.

Click "Certifier ID" to select an ID other than the one displayed.
Enter the password for the certifier ID and click OK.
Note Although not recommended, you can choose a different certifier ID to recertify a user ID, instead of using the original certifying ID.

Use the CA process Choose this option to use the server-based certification authority (CA).

Select a CA-configured certifier from the list and click OK.

4. In the "Choose ID to Certify" box, select the certifier ID or user ID that you want to recertify. For example, to recertify Sales/NYC/ACME, choose SALES.ID.

5. Enter the password and click OK.

6. In the Certify ID dialog box, complete the following fields as necessary:

Field Enter

Current Server The registration server for the current certifier ID. (nonmodifiable)

Current certifier The name hierarchy of the certifier that issued the certificate. (nonmodifiable)

Expiration date (Optional) Specify a certifier ID expiration date other than the default two years from the current date.

Primary key Public half of the primary RSA key pair stored in the IBM® Lotus® Notes® ID file. This RSA key pair is used for electronic signatures on documents and certificates, and on mail encryption when both the sender and the recipient have a North American Notes license. This key pair is also used for network authentication. (nonmodifiable)

International key The public half of the international RSA key pair. This key pair is used for mail encryption when either the sender or recipient are running with an International Notes license. (nonmodifiable)

Subject name list Certifier ID(s) you are working with.

Add Click to add and certify an alternate name. Select the alternate language, country code (optional), and the organization identifier for the language.

Rename Rename the alternate name selected in the Subject name list. This button is not available when recertifying user Ids. This button is enabled only when alternate languages have been assigned.

Remove Removes the alternate name selected in the Subject name list.

Password quality Move the slider to change the level of complexity and variety of characters entered for the password.

7. Click Certify.

Adding an alternate language and name to a user ID

Certifier IDs and certificates

Recertifying a user ID

Recertifying or renaming user IDs by organization

Managing users

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Action
Server	Do one of these: If you are using the Lotus Domino server-based CA, choose the server that is used to access the Domino Directory to look up the list of certifiers. If you are supplying a certifier ID, select the server that is used to locate the list of certifiers so that the Certifier ID file can be updated with the latest set of certificates for itself and all of its ancestors. This is also the server on which CERTLOG.NSF is updated.
Supply certifier ID and password	Choose the certifier ID that issued the original certificate. For example, to recertify the certifier ID for /Sales/NYC/ACME, choose the /NYC/ACME certifier ID, which is NYC.ID. Click "Certifier ID" to select an ID other than the one displayed. Enter the password for the certifier ID and click OK. Note Although not recommended, you can choose a different certifier ID to recertify a user ID, instead of using the original certifying ID.
Use the CA process	Choose this option to use the server-based certification authority (CA). Select a CA-configured certifier from the list and click OK.

Field	Enter
Current Server	The registration server for the current certifier ID. (nonmodifiable)
Current certifier	The name hierarchy of the certifier that issued the certificate. (nonmodifiable)
Expiration date	(Optional) Specify a certifier ID expiration date other than the default two years from the current date.
Primary key	Public half of the primary RSA key pair stored in the IBM® Lotus® Notes® ID file. This RSA key pair is used for electronic signatures on documents and certificates, and on mail encryption when both the sender and the recipient have a North American Notes license. This key pair is also used for network authentication. (nonmodifiable)
International key	The public half of the international RSA key pair. This key pair is used for mail encryption when either the sender or recipient are running with an International Notes license. (nonmodifiable)
Subject name list	Certifier ID(s) you are working with.
Add	Click to add and certify an alternate name. Select the alternate language, country code (optional), and the organization identifier for the language.
Rename	Rename the alternate name selected in the Subject name list. This button is not available when recertifying user Ids. This button is enabled only when alternate languages have been assigned.
Remove	Removes the alternate name selected in the Subject name list.
Password quality	Move the slider to change the level of complexity and variety of characters entered for the password.