LDD Today


[back to "SSL client authentication: It's a matter of trust"]

Setting up client authentication using 4.6.1(sidebar)
If you're an administrator, you can use the following steps to set up SSL client authentication using Domino 4.6.1.

Step 1. Add a Person document to the Public Address Book
Notes stores the client public key in the Person document in the Public Address Book. You need to add a Person document for the user if they don't already have one. In 4.6.1, you will not be able to approve the certificate request until you add this document.

  1. Open the Public Address Book.
  2. Choose Create - Person and enter the person's first, middle, and last names in the First name, Middle initial, and Last names fields.
  3. Enter the user's common name on the certificate in the User name field. The common name must match the name the user enters when requesting the certificate. Domino uses the first name listed in the User name field when verifying names in database access control lists.

    If you already registered the person with Notes, the common name already exists in the User name field so you do not need to enter it again. Notes checks this field for a match when the user requests a client certificate.
  4. If you want, you can enter information about the user in the Work and Home sections.
  5. Save the document.

Step 2. The client requests the client certificate
These are the steps that the client must complete to send a request for a certificate to an internal CA. If you have clients using Internet Explorer Release 3.02, you must make sure that an SSL connection is not required for the Certificate Authority database (File - Database - Properties, Force SSL connection.) Otherwise, it is a good idea to require SSL to connect to this database, so transactions are encrypted over the network.
  1. Using a browser, access the Certificate Authority application, for example, www.acme.com/certca.nsf.
  2. If you are using Netscape and you are connecting over SSL, the browser asks you whether you want to accept the site certificate. Follow the steps provided by your browser to accept the site certificate.
  3. Click Request Client Certificate in the left pane.

    Request a Client Certificate form
  4. Enter your name and organizational information. This is the information that appears on your client certificate.
  5. Enter any additional contact information that you want to send to the CA.
  6. If you are using Netscape Navigator, enter the size to use when creating the public and private keys. The larger the number, the stronger the encryption.
  7. Click Submit Certificate Request to send the request to the CA.

Your browser generates the public-private key pair, stores the keys in your browser, and creates a request containing your public key in the Certificate Authority application.

Step 3. The client merges the server's CA certificate as a trusted root
A trusted root lets you access any server that has a certificate issued from a specific CA. The trusted root is stored in the certificate database if you are using Netscape, or in the registry if you are using Internet Explorer. Users must obtain the certificate of the CA that issued the server certificate for the servers they want to access.

Again, if your clients are using Internet Explorer Release 3.02, make sure that an SSL connection is not required for the Certificate Authority database.

  1. Browse to the Certificate Authority database on the CA's Web site.
  2. If you are using Netscape, accept the site certificate into your browser using the instructions provided by the browser software. You might have already completed this step when requesting the client certificate.
  3. Click "Accept This Authority in Your Browser" and follow the steps provided by the browser software.

Step 4. Approve the request and add the public key to the Public Address Book
Once the client submits the request, it appears in the Client Certificate Requests view in the Certificate Authority database. You must have the Administration Process running to add the client certificate to the Public Address Book.
  1. From the administration panel, click System Databases and choose Open Domino Certificate Authority.
  2. Click "Client Certificate Requests" in the left pane.

    Certificate Authority application
  3. Open the request you want to sign.
  4. Review the user information and distinguished name. Make sure the information provided complies with your organization's security policy.
  5. Leave the option "Register certificate in the Public Address Book" selected to add the client's public key automatically to the Person document.
  6. If you do not want to approve the certificate, do the following. (Otherwise, proceed to the next step.)
    • Enter a reason for the denied request.
    • If you do not want to send the person e-mail, deselect "Send a notification email to the requestor"; otherwise, Domino sends the person e-mail indicating that you denied the request and the reason why you denied the request.
    • Click Deny. You do not have to complete the remaining steps.
  7. If you want to approve the certificate, enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can enter several years.
  8. You probably want to send the user mail indicating that the request has been approved, so make sure you select "Send a notification email to the requestor." The e-mail includes a URL indicating the location where the user can pick up the certificate.
  9. Click Approve and enter the password for the CA key ring file.

Step 5. The client merges the approved certificate
After you approve the client's request, the client needs to merge the signed certificate into the browser. The client completes the following steps.
  1. If the CA gave you the URL to use to pick up the certificate in the Certificate Authority database, browse to the URL provided in the e-mail.
  2. If necessary, obtain the pickup ID from the CA and do the following:
    • Open the Certificate Authority database with a browser.
    • Click "Pick Up Client Certificate."
    • Enter the pickup ID and click "Pick Up Signed Certificate."
  3. Review the information on your certificate and click Accept Certificate. Then, follow the steps provided by the browser software.

Step 6. Configure the Server document for client authentication
You need to configure the server that the users will access so it requests the client certificate during the SSL handshake.
  1. From the administration panel after you choose the server to administer, choose Servers - Server View.
  2. Open the Server document for the server.
  3. Select the Internet Port and Security Configuration section.
  4. In the "SSL key file" field, enter the name of the key ring file that the server uses.
  5. In the column for the SSL protocol that you want to enable, select Enabled in the "SSL port status" field and, if necessary, change the SSL port number. For example, to enable SSL for the Domino Web server, select Enabled in the "SSL port status" field in the Web column.
  6. In the Internet Port and Security Configuration section, in the column for the SSL protocol that you want to enable, select Yes in the Client certificate field.