Skip to main content
This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)
Previous Next
Subject: Key Rollover - best practice / problems?
Feedback Type: Question
Product Area: Security
Technical Area: Administration
Platform: Windows
Release: 8.5.2
Reproducible: Not applicable


Our Domain was set up in year 2000 using R5, then upgraded in 2004 to 6.5 and runs now on 8.5.2. I've read about the new security feaatures of the new version and thought it could be about time to upgrade key strength using the key rollover features. Unfortunately, after reading numerous sources of information, there are still questions open.

Our current configuration is as follows:
ID FileRemarksID File encryptionKey strength
cert.id-64bit RC2512bit and 630bit
serverA.idAdmin Server64bit RC2512bit and 630bit
serverB.idSecondary Server64bit RC21024bit
user.idabout 10 user ids64bit RC2512bit and 630bit
idvault.idcreated using cert.id128bit AES2048bit
  • we do not have additional OU certifiers, we do not use CA process
  • some custom templates replicate against a 6.5 domino server (other domain, cross-certified on both ends using cert.id of both domains)
  • we do not use encrypted e-mail
  • communication between server/server and server/client is encrypted on servers request
  • we use daos

Now, the questions:
  1. Is Key Rollover on cert.id recommended and if so, which key size should be used (concerning the ability to cross-certify with a 6.5 server).
  2. When rolling over the cert.id, do i have to recreate the vault.id as well, or will the id file and especially the certificates for vault administrators and passwort reset authorities continue to work?
  3. Does it make sense to rollover server and user IDs to a higher key strength only and leave the cert.id unmodified?
  4. Do Agents need to be re-signed by the user.id after the old user keypair invalidates after the grace period according to the policy settings?
  5. Since we use SSL (keyring file) with HTTP, does a key rollup on the cert.id affect the functionality of the keyring file?
  6. Are there other critical things to mention concerning key rollup?
  7. What about DAOS - the files are encrypted with the server key, so will it continue to work after server.id and/or cert.id upgrade?

Any ideas and comments are welcome.


Feedback number DKOH88VBVF created by ~Ben Chuwechekoni on 09/01/2010

Status: Open
Comments:





Printer-friendly

Search this forum

Member Tools


RSS Feeds

 RSS feedsRSS
All forum posts RSS
All main topics RSS