SECURING
You can use several methods to obtain an HCL Notes® or Internet cross-certificate.
Accessing a server
If a user attempts to access a server in a different organization, and the user does not already have a cross-certificate issued to that server or one of its ancestors, a dialog box gives the recipient the option to add the cross-certificate "on demand." Users can add a Notes cross-certificate this way. This is usually the quickest and easiest way for a user to obtain a cross-certificate.
Receiving a signed mail message
If a user receives a signed mail message from a user in a different organization and the recipient does not already have a cross-certificate issued to that server or one of its ancestors, the "on demand" cross-certificate dialog box appears. Users can add both Notes and Internet cross-certificates this way.
Adding a cross-certificate from the Domino Directory
Users can retrieve Internet certificates and Notes and Internet cross-certificates from the HCL Domino® Directory on their home/mail server, and add them to their Contacts. Domino administrators can use any method to add the Internet certificates and Notes and Internet cross-certificates to the Domino Directory; however, the cross-certificates must be issued by a common ancestor before Notes copies the cross-certificates to the user's Contacts.
By Notes mail or postal service
Users can add a cross-certificate by sending a safe copy of the certificate through Notes mail or the postal service. Users can use this method to add a Notes cross-certificate only.
From an Internet server
Users can obtain an Internet cross-certificate through the User Security panel (File -> Security -> User Security). Users would choose Identity of Others -> People, Services, and click Retrieve Internet Service Certificate. A dialog box allows the user to specify an Internet server from which to obtain a certificate to cross-certify. This method can be the quickest way to obtain an Internet cross-certificate.
By phone
Users can add a cross-certificate by providing the name and public key of the certificate by phone. Users can use this method to add a Notes certificate only.
In the Person document
Users can cross-certify a certificate stored in a Person document in the Domino Directory using Actions -> Create Cross Certificate. Users can add both Internet and Notes cross-certificates this way.
From a trusted root certificate
Users can create an Internet cross-certificate from a trusted root certificate if you have a trusted root certificate in Contacts or Domino Directory. Notes and Domino provide in Contacts and the Domino Directory many default trusted root certificates for third-party CAs. To indicate trust for these CAs, create a cross-certificate using the trusted root. You can also add a trusted root certificate for other CAs that are not included by default and create cross-certificates for them.
Adding a Notes or Internet cross-certificate on demand When users access a server or receive a signed message, they can accept an HCL Notes or Internet cross-certificate from another organization. HCL Domino adds the cross-certificate to the user's Contacts. Then the next time the user tries to access the server, the user can authenticate the server with that cross-certificate. Similarly, the user can use the cross-certificate to verify signed messages from the organization that was cross certified.
Adding a Notes cross-certificate by phone Two organizations can add an HCL Notes cross-certificate to user, server, and certifier IDs by providing the name and public key of the IDs to be cross-certified over the phone. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification.
Adding a Notes cross-certificate for IDs by postal service Organizations that cannot communicate through HCL Notes mail can use these steps to add a Notes cross-certificate for user, server, and certifier IDs. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification. You cannot use these procedures to create an Internet cross-certificate.
Adding a Notes cross-certificate for IDs by Notes mail If you can route mail to the organization that will cross-certify a user, server, or certifier ID, you can use HCL Notes mail to add a Notes cross-certificate. For cross-certification to work, these steps must be carried out twice, with each organization alternately requesting cross-certification. You cannot use these procedures to create an Internet cross-certificate.
Creating a cross-certificate from a user's Person document You can create an HCL Notes and/or Internet cross-certificate from a certificate stored in a user's Person document.
Creating a cross-certificate from a Notes certifier You can create an HCL Notes cross-certificate in the HCL Domino Directory from a Notes certifier. You can then push the cross-certificate to Notes user contacts.
Displaying cross-certificates You can view the types of cross-certificates available. Certificates whose type cannot be determined are listed as Unknown.
Related concepts Using cross-certificates to access servers and send secure S/MIME messages
Related tasks Adding a Notes or Internet cross-certificate on demand Adding a Notes cross-certificate for IDs by Notes mail Adding a Notes cross-certificate for IDs by postal service Adding a Notes cross-certificate by phone Creating a cross-certificate from a user's Person document Creating a cross-certificate from a Notes certifier Adding an Internet certificate and cross-certificate for encrypted S/MIME messages
Related reference Examples of cross-certification