Our Domain was set up in year 2000 using R5, then upgraded in 2004 to 6.5 and runs now on 8.5.2. I’ve read about the new security feaatures of the new version and thought it could be about time to upgrade key strength using the key rollover features. Unfortunately, after reading numerous sources of information, there are still questions open.
Our current configuration is as follows:
ID File
Remarks
ID File encryption
Key strength
cert.id
64bit RC2
512bit and 630bit
serverA.id
Admin Server
64bit RC2
512bit and 630bit
serverB.id
Secondary Server
64bit RC2
1024bit
user.id
about 10 user ids
64bit RC2
512bit and 630bit
idvault.id
created using cert.id
128bit AES
2048bit
we do not have additional OU certifiers, we do not use CA process
some custom templates replicate against a 6.5 domino server (other domain, cross-certified on both ends using cert.id of both domains)
we do not use encrypted e-mail
communication between server/server and server/client is encrypted on servers request
we use daos
Now, the questions:
Is Key Rollover on cert.id recommended and if so, which key size should be used (concerning the ability to cross-certify with a 6.5 server).
When rolling over the cert.id, do i have to recreate the vault.id as well, or will the id file and especially the certificates for vault administrators and passwort reset authorities continue to work?
Does it make sense to rollover server and user IDs to a higher key strength only and leave the cert.id unmodified?
Do Agents need to be re-signed by the user.id after the old user keypair invalidates after the grace period according to the policy settings?
Since we use SSL (keyring file) with HTTP, does a key rollup on the cert.id affect the functionality of the keyring file?
Are there other critical things to mention concerning key rollup?
What about DAOS - the files are encrypted with the server key, so will it continue to work after server.id and/or cert.id upgrade?
Any ideas and comments are welcome.