Adding an Internet certificate and cross-certificate for encrypted S/MIME messages

To send an S/MIME-encrypted message, the sender must have the recipient's Internet certificate in their Contacts, an HCL Domino® Directory, or LDAP directory. The sender must also have a cross-certificate issued for the recipient or for the certifier who issued the recipient's Internet certificate.

About this task

If a cross-certificate is issued for a recipient's Internet certificate, only messages to that recipient can be encrypted. If a cross-certificate is issued to the recipient's CA, users can send encrypted messages to all recipients who have certificates issued by that CA, if you have the recipients' Internet certificates. If the Internet certificate is stored in a Domino® Directory in another domain or in an LDAP directory, the directory needs to be accessible using directory assistance.


  1. The recipient must send an S/MIME signed message to you.
  2. When you open the signed message, HCL Notes® asks if you want to add a cross-certificate if you do not already have one issued for either the author or the CA who issued the certificate to the author. Complete these fields and then click Cross Certify.
    Table 1. Cross-Certificate Options
    Field Enter
    Certifier The certifier ID that is cross-certifying the certificate. By default, the certifier is your ID. If you have access, you can choose an ID that is higher in the hierarchical name scheme.
    Server The registration server that holds the cross-certificate that is created. By default, it is stored locally in your Contacts. Do not change this setting, since the cross-certificate must be stored in your Contacts in order to validate the Internet certificate of the person to whom you are sending an encrypted message.
    Subject name The certificate that is being cross-certified. You can choose to cross-certify the sender of the signed message or you can cross-certify the CA that issued the certificate to the sender. If a cross-certificate is issued to the sender of the signed message, you can encrypt messages to only that person. If a cross-certificate is issued to the sender's CA, you can send encrypted messages to anyone who has an Internet certificate issued by that CA and for whom you have an Internet certificate.
    Subject alternate name list Alternate names attached to the ID, if any.
    Expiration date The date that the cross-certificate expires.
  3. To add the author's Internet certificate to Contacts, choose More > Add Sender to Contacts. Notes® creates a Contact document for the person and adds an Internet certificate to the document.