Every Notes® user ID and Domino® server ID has a unique public key for the Notes certificate. The public key is stored in an ID file and in the Person or Server document for that ID in the Domino Directory. Notes and Domino use the public key to authenticate users and servers, verify digital signatures, and encrypt messages and databases. A Notes user ID can also have a unique public key for an Internet certificate.

Issuing new public keys for a Notes certificate

If you suspect that an ID has been compromised because it was lost, stolen, or copied without permission, you can create a new public key for the ID. Creating a new public key allows you to maintain other parts of the ID -- for example, the encryption keys -- rather than create an entirely new ID, so that users can still use their old keys to decrypt encrypted email.

Notes users can create a new public key for the Notes certificate. The new public key must be certified before it can be used by Notes.

After certifying a new public key, you should set up servers to verify public keys. Public key verification involves matching the public key stored in the Domino Directory with the public key on the ID. Verifying public keys prevents an unauthorized user from using the ID with the original public key to access the server.

Note: This is done in addition to the key verification done by validating the certificate presented by the user during authentication.

Adding an existing Notes public key

When you register a user or server, Domino automatically adds the Notes public keys to the corresponding Person or Server document. However, you may need to manually add a user or server ID's public key in these situations:

• A user wants to send encrypted mail to a Notes user in another domain. To send Notes encrypted mail, Domino must be able to access the recipient's Notes public key in the Contacts, Domino Directory, or LDAP directory. If the recipient is in another domain and the Domino Directory or LDAP directory for that domain is not accessible by directory assistance, then Domino can't access the recipient's public key for encryption. The sender must obtain the recipient's public key and add it to the Contacts or a Domino Directory that is set up with directory assistance. An administrator might also want to set up directory assistance for the Domino Directory or LDAP directory so users can encrypt messages to all users in the directories.
• A user or server ID's public key in the Domino Directory becomes corrupted or is accidentally deleted, and the administrator needs to replace it.

  Creating a new Notes public key and adding it to the Domino Directory
  The process for creating a new HCL Notes public key differs, depending on which version of HCL Domino you use.

  Adding a Notes public key to the Domino Directory
  You can copy an HCL Notes public key to a file or mail it to a user or administrator who pastes the public key into a user's Contacts or an HCL Domino Directory that users can access. This lets users encrypt mail sent to a user in another organization or replace a missing or corrupted key in the Domino Directory.

Related concepts
Encryption
Electronic signatures
SSL and S/MIME for clients
Certificates

Related tasks
Creating a Directory Assistance document for a remote LDAP directory
Adding a Notes public key to the Domino Directory
Scheduling replication of the Domino Directory

Help on Help

All Help Contents

Help on Help