« Another double-right-click quirk? | Main| Telephone touch pad configurations that did not make it »

A CA Process learning experience

Tags: Lotus Domino CA Process

The other day I found out that when you've migrated your certifier to the CA Process and at some point in time afterwards you've performed a certifier key roll over you might as well throw out those old backup copies of your certifier id.

This is how I got to this 'revelation'.

First I registered a new server using the CA process on the existing server that holds the CA, I then copied the id over to the new box and fired up the remote installer.
At the end of the Remote Server Setup wizard when it's time to actually start doing something useful it threw an error complaining that the server id had not been signed yet.

Since that didn't work I decided to re-create the server id using the local copy of the certifier id.
Copied the id over to the new server, and ran the Remote Server Setup wizard once more, this time it complained that the public key did not match the key in the id. This is because the public key of the backup copy of the certifier id file does not match the public key of the certifier as stored in the domino directory (since this was changed when the certifier key was rolled over).

Workaround: before copying the server id created  through the CA to the new server, first switch to the id using your client. This will update the signatures in the id file.

This is also described in this R8 Forum thread, with a reply that refers to SPR JEDS7AUQS5