SECURING
You can create cross-certificates in the Domino® Directory for Internet certifiers and Notes® certifiers and then push the cross-certificates to the Contacts application on Notes clients. The cross-certificates are used to establish client trust of a certifier when accessing servers, reading encrypted S/MIME mail, or installing signed Notes client plug-ins. When you push cross certificates, users are not required to create the cross-certificates or retrieve them from the Domino Directory.
About this task
There are two ways to push certificates to the Contacts application: through customization of the Notes client installation media or through security policy settings. You can also push Internet certifiers to clients and enable users to create cross-certificates themselves. The security policy settings approach provides more flexibility because it allows you to more easily add, remove, or update certificates in Contacts after installation. For example, when you use security policy settings, if a certificate expires and you replace it with a new one in the Domino Directory, you can cross-certify the new certificate and add the cross-certificate to the policy to automatically push it to clients. Or, if you revoke trust of a certificate by deleting its cross-certificate from the Domino Directory, the cross-certificate is automatically deleted from Contacts.
Perform the following steps to push trusted certificates to clients:
Procedure
1. If you want to push trust of an Internet certifier, first import the certifier into the Domino Directory.
2. Create cross-certificates in the Domino Directory for any Internet and Notes certifiers that you want clients to trust.
3. Use one of the following methods to push certificates to clients' Contacts:
Creating an Internet cross-certificate in the Domino Directory from a certifier document You can create a cross-certificate in the HCL Domino Directory for an Internet certificate. After completing this step, you can push the cross-certificate to HCL Notes clients to establish trust of the certifier on the clients.
Pushing certificates to clients through security policy settings If you have created a cross-certificate in the Domino Directory for an Internet certifier or Notes certifier, you can use security policy settings to push it to Notes clients' Contacts. You can optionally push an Internet certifier too. Users can view the cross-certificate or certifier in Contacts but cannot edit or delete it.
How users can obtain trusted certificates manually The copy of the CA's certificate is called a trusted root certificate. After obtaining the trusted root certificate and -- if you are using a Notes client -- an Internet cross-certificate for the root certificate, the client will trust the CA and by extension, any certificates issued by this CA. If you are setting up server authentication for an Internet client, you add this trusted root to a local file. If you are setting up server authentication for a Notes client, you add this trusted root to a Domino Directory that users can access to generate a cross-certificate in their Contacts.
Related tasks Importing an Internet certifier into the Domino Directory Creating an Internet cross-certificate in the Domino Directory from a certifier document Creating a cross-certificate from a Notes certifier Customizing a Notes install kit to set certifier and trust defaults Pushing certificates to clients through security policy settings