Error when setting up new Certificate Authority

03 Troubleshooting

Client
Error when setting up new Certificate Authority

When an administrator tries to set up a new Certificate Authority (CertCA) database from the CCA50.NTF template, the error "You are not authorized to perform that operation" appears.

This error occurs because of settings in the ACL of the CCA50.NTF template. In order to create a new database from CCA50.NTF, the user creating the database must be assigned the [CAPrivlegedUser] role either individually or as part of a group.

By default, the -Default- entry in the ACL of CCA50.NTF is set to "Reader" and assigned the [CAPrivlegedUser] role. When you create a new CertCA database from this template, normally you are accessing the template via the -Default- entry. As a result, you have "Reader" access to the template and you have the privileges assigned to the [CAPrivlegedUser] role, which allows you to create the CertCA database. However, if you're listed in the ACL as a person or as part of a group (for example, in a group called Administrators) that isn't assigned the [CAPrivlegedUser] role, then you can't create the database.

Here are two examples of when this situation is likely to occur:

You modify the CCA50.NTF template and add the name of the administrator, or the Administrators group, to the template's ACL without assigning the [CAPrivlegedUser] role. When you use the CCA50.NTF template to create the CertCA database, you'll be granted access via the Administrators group entry, rather than the -Default- entry.
You set up the first Domino server in your organization and then let the set up program automatically:
Note: The option to automatically complete these steps after setting up your first server is a new feature in Release 5.

In this case, since one of the templates affected is the CCA50.NTF, all databases created from that template will automatically have an ACL with an Administrators entry. By default, the Administrators group doesn't have the [CAPrivlegedUser] role assigned to it. Anyone included in the group called Administrators won't be allowed to create a database using the CCA50.NTF because that group doesn't have the appropriate access to do so.

Workaround

2. Choose File->Database->Access control.

3. Select the user name or group who you want to be able to create the CertCA database and assign the entry the [CAPrivlegedUser] role.

4. Click OK to save the changes to the ACL.

The person or group you chose in Step 3 should now be able to create a CertCA database.