Looking at a recertification nightmare

KarenOConnor
KarenOConnor used Ask the Experts™
on
Our PAB and many of our Administrator functions are the responsibility of a group at our head office. On the admin side, I can set up new users and look after upgrading software etc., but have little experience with more complicated administration issues. This past summer we discovered that no one, meaning no one at our head office had a password for our server certificate. Head office created a new server id and we went through a moderately painful few weeks of issuing cross certificates etc. Last week I tried to set up a new user, and first got a "signature on the certificate is invalid", error, then after some wrangling by the administrator, we got a "public key does not match the one certified", error when setting up the client on the user's desktop. Thankfully we were able to give the user access via iNotes, and it is sufficient for this particular user. However we cannot rely on iNotes as a permanent solution. Now head office is saying that the solution is for us to create new server and user certificates and recertify everyone/everything! I have asked them repeatedly what the ramifications of doing this are, but they have had no experience with doing anything like this on an established group.
We have just under 100 users, but we use Notes heavily for documentation and non-conformance handling for ISO standard compliance, (we have just over 20G of info on 60 interrelated databases). Our server is at release 5.08 and all of our users are currently at Pre-Release 1 or 2.

I have four questions:
1) What can I do ahead of time to ensure the recertification process is as seamless as possible for our users?
2)What should I be checking on the numerous non-mail databases?
3) The user cert we had before was created when we first started using Notes in 1997 and had few features, e.g. no password recovery. Is there an optimal certificate format?
4) Now that Notes6 is available I would like to take the opportunity to upgrade the servers and users at the same time as we recertify everyone. Kind of a ripping the bandage off fast theory - short duration pain vs. long drawn out pain and user irritation. Is this too much to do at one time?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2007
Commented:
1) Users will not be able to read encrypted mail, in there old mail DB's.  If oyu plan on really starting from scratch, this does not matter.

2) Non-mail Db's will only need to have new ACL's set, unless there is other built in security that checks specific names or groups.

3) Use the latest and greatest, since managing it should be simplest. Do not use a FLAT domain, use at least a single Heirerchy

4) Go for IT.
Read the Notes deployment stuff.
Export the User info and then do a Mass certification from a file.
test this first  on a small group of Users.

I hope this helps !

Author

Commented:
Wow - thanks for the fast response!!! You know I've posted this same question on the LDD site and searchDomino site and got nothing. This is exactly what I needed.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial