How users can obtain trusted certificates manually

The copy of the CA's certificate is called a trusted root certificate. After obtaining the trusted root certificate and -- if you are using a Notes® client -- an Internet cross-certificate for the root certificate, the client will trust the CA and by extension, any certificates issued by this CA. If you are setting up server authentication for an Internet client, you add this trusted root to a local file. If you are setting up server authentication for a Notes® client, you add this trusted root to a Domino® Directory that users can access to generate a cross-certificate in their Contacts.

About this task

Notes® clients can also obtain a trusted root certificate and cross-certificate to gain access to the server; however, adding the trusted root certificate to the Domino® Directory simplifies the process of setting up server authentication for users.

Best practice is to push trusted certificates to Notes® clients' Contacts rather than having users take steps to obtain trusted certificates themselves.
Note: A user can accept certificates automatically, without having to obtain the roots or cross-certificates, by enabling the option Accept site certificates in the Location document for the Notes® client. However, accepting certificates from unknown servers is a security risk. If a user doesn't know the sources of the certificates being accepted, it is possible to accept certificates from malicious sources.

To obtain a trusted root certificate for a Notes® client

Procedure

  1. Make sure that you have a trusted root certificate for the CA. In the Domino® Administrator, select Configuration > Certificates > Certificates, and view the certificate in the Internet Certifiers category.
  2. Instruct clients to retrieve an Internet cross-certificate through the User Security dialog box.

To obtain a trusted root certificate for an Internet client

About this task

You can obtain a trusted root certificate for an Internet client. If the trusted root certificate is for a Domino® CA, the Internet client performs these steps:

Procedure

  1. Browse to the Domino® Certificate Requests or Certificate Authority application.
  2. Select Accept This Authority In Your Browser.

Results

Note: If you use an TLS connection to browse to the application, the server prompts you to accept the site certificate. Check the CA properties to make sure that the certificate that is presented is from a source you trust before accepting the certificate as a trusted root.

If the trusted root certificate is for a third-party CA, the Internet client follows the third-party CA's established procedure to merge the trusted root certificate for the CA. If both the client and server have certificates issued from the CA or already have a CA in common, then this step is not necessary.