SECURING
You can add two Internet certificates to your Notes® ID file and then use one certificate for S/MIME encryption and another for S/MIME signatures and TLS client authentication. Doing so lets you maintain separate public and private key pairs for encryption and electronic signatures and TLS client authentication.
Adding multiple certificates
To add multiple Internet certificates to your Notes ID file when the certificates are issued by different CAs, follow the procedure provided by the CA. If the Internet certificates you want to add are issued by the same CA, add one of the certificates by following the CA's procedure and add the second certificate by importing it into the ID file. If you try to add multiple Internet certificates issued by the same CA and you do not import the certificate, Notes uses the last certificate added to the ID file for S/MIME encryption and signatures.
For information on importing certificates, see Notes help.
Specifying the default signing certificate
Once the Internet certificates are added to the ID file, you can specify a default certificate to use for S/MIME signatures. You specify this certificate in the User Security dialog box. If the Internet certificate you select is used for both signatures and encryption, then Notes uses this certificate as the default for signatures and encryption. Otherwise, Notes uses the Internet certificate you specify for signatures and the last Internet certificate added to the Notes ID file for encryption. The default signing certificate is also the certificate used for TLS client authentication.
For information on specifying a default signing certificate, see Notes help.
Adding an Internet certificate to Contacts
If you send a signed message and you have two different certificates for signatures and encryption, Notes sends the recipient the default Internet certificates used for encryption and signatures. When the recipient chooses Tools -> Add Sender to Contacts, Notes adds a Contact document and adds the Internet certificates for encryption and signatures to the Contact document. When you send an encrypted message, Notes extracts only the Internet certificate for encryption from the Contact document.
Adding a cross-certificate on demand
When a recipient receives a signed message, Notes checks Contacts for a cross-certificate that indicates that the signing certificate included with the message is trusted. If the cross-certificate is not present, Notes displays a dialog box that allows the recipient to cross-certify "on demand." You can create a cross-certificate to either the leaf certificate or to the CA. Creating a cross-certificate to a leaf certificate indicates trust for only the owner of the certificate, in this case the sender of the signed message. A cross-certificate to a CA indicates trust for all people who have a certificate issued by that CA.
When you cross-certify on demand, Notes creates a cross-certificate for the signing certificate, but does not create a cross-certificate for the encryption certificate. However, if the signing and encryption certificates are issued from the same CA and you create a cross-certificate for the CA, the cross-certificate created for the signing certificate can also be used to validate the encryption certificate. If the signing and encryption certificates are issued from different CAs, then you must create a cross-certificate for the CA that issued the encryption certificate before you can send an encrypted message.
Parent topic: Setting up Notes clients for S/MIME
Related tasks Adding an Internet certificate and cross-certificate for encrypted S/MIME messages Creating Internet certificates for Notes S/MIME clients