LDD Today


[back to "SSL client authentication: It's a matter of trust"]

Setting up client authentication using 4.6 (sidebar)
If you're an administrator, you can use the following steps to set up SSL client authentication using Domino 4.6.

Step 1. Add a Person document to the Public Address Book
Notes stores the client public key in the Person document in the Public Address Book. You need to add a Person document for the user if they don't already have one.

  1. Open the Public Address Book.
  2. Choose Create - Person and enter the person's first, middle, and last names in the First name, Middle initial, and Last names fields.
  3. Enter the user's common name on the certificate in the User name field. The common name must match the name the user enters when requesting the certificate. Domino uses the first name listed in the User name field when verifying names in database access control lists.

    If you already registered the person with Notes, the common name already exists in the User name field so you do not need to enter it again. Notes checks this field for a match when the user requests a client certificate.
  4. If you want, you can enter information about the user in the Work and Home sections.
  5. Save the document.

Step 2. The client requests the client certificate
You request the client certificate from the external CA's Web site. Using your browser, browse to the CA's Web site, for example, www.digitalid.verisign.com, and follow the instructions provided by the CA to obtain the certificate. Follow the steps below after the client merges the certificate into the browser.

If your clients are using Internet Explorer Release 3.02, make sure that an SSL connection is not required for the Certificate Authority database (File - Database - Properties, Force SSL connection). Otherwise, it is a good idea to require SSL to connect to this database, so transactions are encrypted over the network.

  1. Use a browser to open the Certificate Authority application.
  2. If you are using Netscape and you are connecting over SSL, the browser asks you whether you want to accept the site certificate. Follow the steps provided by your browser to accept the site certificate.
  3. Click "Register Browser Certificate in Address Book."

    Register a Browser Certificate form
  4. Enter your name, e-mail address, phone number, and any comments. This information is used on the request entered in the Certificate Authority application.
  5. Click Submit Certificate.

Your browser creates a request in the Certificate Authority application that contains your public key.

Step 3. The client merges the server's CA certificate as a trusted root
A trusted root lets you access any server that has a certificate issued from a specific CA. The trusted root is stored in the certificate database if you are using Netscape, or in the registry if you are using Internet Explorer. Users must obtain the certificate of the CA that issued the server certificate for the servers they want to access. The steps below are for merging a trusted root from a server that had its certificate issued from an internal CA. For steps on merging a trusted root from a server with a certificate issued from an external CA, see your external CA.

Again, if your clients are using Internet Explorer Release 3.02, make sure that an SSL connection is not required for the Certificate Authority database.

  1. Browse to the Certificate Authority database on the CA's Web site.
  2. If you are using Netscape, accept the site certificate into your browser using the instructions provided by the browser software. You might have already completed this step when requesting the client certificate.
  3. Click "Accept This Authority in Your Browser" and follow the steps provided by the browser software.

Step 4. Add the public key to the Public Address Book
Once the client submits the request, it appears in the Certificate Registration view in the Certificate Authority database. You must have the Administration Process running to add the client's public key to the Public Address Book.
  1. On the server machine from the administration panel, click System Databases and choose Open Domino Certificate Authority.
  2. Click "Certificate Registration."

    Certificate Authority application
  3. Open the request document.
  4. If you do not want to send an e-mail to the client indicating that you denied or accepted the request and the reason why you denied a request, deselect "Send a notification email to the requestor."
  5. If you do not want to approve the request, click Reject and enter a reason for rejecting the request. Otherwise, click Accept and click OK.

Step 5. Configure the Server document for client authentication
You need to configure the server that the users access so it requests the client certificate during the SSL handshake.
  1. From the administration panel after you choose the server to administer, choose Servers - Server View.
  2. Open the Server document for the server.
  3. Select the Internet Port and Security Configuration section.
  4. In the "SSL key file" field, enter the name of the key ring file that the server uses.
  5. In the column for the SSL protocol that you want to enable, select Enabled in the "SSL port status" field and, if necessary, change the SSL port number. For example, to enable SSL for the Domino Web server, select Enabled in the "SSL port status" field in the Web column.
  6. In the Internet Port and Security Configuration section in the column for the SSL protocol that you want to enable, select Yes in the Client certificate field.