Adding a Notes® or Internet cross-certificate on demand

When users access a server or receive a signed message, they can accept an HCL Notes® or Internet cross-certificate from another organization. HCL Domino® adds the cross-certificate to the user's Contacts. Then the next time the user tries to access the server, the user can authenticate the server with that cross-certificate. Similarly, the user can use the cross-certificate to verify signed messages from the organization that was cross certified.

About this task

You cannot add an Internet cross-certificate on demand if a user's Internet certificate already exists in an LDAP directory.

To add a cross-certificate on demand

Procedure

  1. Using a Notes® workstation, attempt to access a server in an organization with which you are not cross-certified or open a signed message whose signature you do not trust.
  2. If you attempted to access a server, select Advanced Options when Domino® displays this message:
    Your local Domino Directory does not contain a cross-certificate for this organization.
    Would you like to suppress this warning in the future by creating a cross-certificate for this organization in your Name and Address Book?
  3. To avoid the possibility of cross-certifying an impostor, call someone trustworthy from the named organization and ask the person to tell you the organization's public key. Compare it to the key displayed in the Advanced Options dialog box.
  4. Complete these fields:
    Table 1. Cross-certification Fields

    Field

    Enter

    Certifier

    File name of a user, server, or certifier ID. Specify a server or certifier ID when creating a cross-certificate for a server. The ID specified indicates who can use the cross-certificate.

    Server

    Location of the Contacts or Domino® Directory where you want to copy the cross-certificate. Add the cross-certificate to Contacts for Notes® clients.

    Subject name

    Organization or organizational unit certifier that you want to cross-certify, for example, /Renovations. You can also create a cross-certificate for the owner of the certificate.

    Subject alternate name list

    An alternate name that identifies the subject. Alternate names allow you to assign more than one name to an ID, which is recognizable in a user's native language.

    Expiration date

    Date when the cross-certificate will expire.

  5. Click Cross Certify. Domino® places the cross-certificate in the Server > Certificates view of the Domino® Directory of the server you specified in Step 4 or in the Advanced > Certificates view of Contacts.