SECURING


Adding cross-certificates to the Domino Directory or Contacts

You can use several methods to obtain an HCL Notes® or Internet cross-certificate.

Accessing a server

If a user attempts to access a server in a different organization, and the user does not already have a cross-certificate issued to that server or one of its ancestors, a dialog box gives the recipient the option to add the cross-certificate "on demand." Users can add a Notes cross-certificate this way. This is usually the quickest and easiest way for a user to obtain a cross-certificate.

Receiving a signed mail message

If a user receives a signed mail message from a user in a different organization and the recipient does not already have a cross-certificate issued to that server or one of its ancestors, the "on demand" cross-certificate dialog box appears. Users can add both Notes and Internet cross-certificates this way.

Adding a cross-certificate from the Domino Directory

Users can retrieve Internet certificates and Notes and Internet cross-certificates from the HCL Domino® Directory on their home/mail server, and add them to their Contacts. Domino administrators can use any method to add the Internet certificates and Notes and Internet cross-certificates to the Domino Directory; however, the cross-certificates must be issued by a common ancestor before Notes copies the cross-certificates to the user's Contacts.

By Notes mail or postal service

Users can add a cross-certificate by sending a safe copy of the certificate through Notes mail or the postal service. Users can use this method to add a Notes cross-certificate only.

From an Internet server

Users can obtain an Internet cross-certificate through the User Security panel (File -> Security -> User Security). Users would choose Identity of Others -> People, Services, and click Retrieve Internet Service Certificate. A dialog box allows the user to specify an Internet server from which to obtain a certificate to cross-certify. This method can be the quickest way to obtain an Internet cross-certificate.

By phone

Users can add a cross-certificate by providing the name and public key of the certificate by phone. Users can use this method to add a Notes certificate only.

In the Person document

Users can cross-certify a certificate stored in a Person document in the Domino Directory using Actions -> Create Cross Certificate. Users can add both Internet and Notes cross-certificates this way.

From a trusted root certificate

Users can create an Internet cross-certificate from a trusted root certificate if you have a trusted root certificate in Contacts or Domino Directory. Notes and Domino provide in Contacts and the Domino Directory many default trusted root certificates for third-party CAs. To indicate trust for these CAs, create a cross-certificate using the trusted root. You can also add a trusted root certificate for other CAs that are not included by default and create cross-certificates for them.


Parent topic: Domino server and Notes user IDs

Related concepts
Using cross-certificates to access servers and send secure S/MIME messages

Related tasks
Adding a Notes or Internet cross-certificate on demand
Adding a Notes cross-certificate for IDs by Notes mail
Adding a Notes cross-certificate for IDs by postal service
Adding a Notes cross-certificate by phone
Creating a cross-certificate from a user's Person document
Creating a cross-certificate from a Notes certifier
Adding an Internet certificate and cross-certificate for encrypted S/MIME messages

Related reference
Examples of cross-certification