TLS and S/MIME for clients

Clients can use a Domino® certificate authority (CA) application or a third-party CA to obtain certificates for secure TLS and S/MIME communication.

Authenticating clients and servers using TLS

Notes® and other Internet clients use the TLS protocol to encrypt data, authenticate server identity and, optionally, authenticate client identity when a Notes® or other Internet client connects to an Internet server -- for example, a Web server or an LDAP server.

On the server, TLS is set up on a protocol-by-protocol basis. You can enable TLS on all protocols or enable TLS on some protocols but not others. For example, you can enable TLS on mail protocols (IMAP, POP3, SMTP) and disable it for HTTP.

Server authentication lets clients verify the identity of the server to which they are connecting, to make sure that another server is not posing as the server they want to access.

Client certificate authentication lets server administrators identify the client accessing the server and control access to applications based on that identity. For example, if you want Alan Jones to have Editor access to a database and all others accessing the database to have no access, you can set up the application database ACL to include Alan Jones as an Editor and Anonymous as No Access.

Notes® and other Internet clients that use client certificate authentication have an Internet certificate that is stored in the Notes® ID file for Notes® client, and in a local file for Internet clients. The certificate includes a public key, a name, an expiration date, and a digital signature. The corresponding private key is stored in the ID file, but is stored separately from the certificate. For Notes® clients, the client certificate is also stored in the Domino® Directory so that others can access the public key.

Notes® and Internet clients can obtain Internet certificates from either a Domino® certification authority or a third-party certifier.

How you set up the client depends on whether the server requires client certificate authentication.

As an administrator, you should carefully consider whether you want to require client certificate authentication. If you do not need to identify Internet users who access the server, you do not need to set up client authentication. In fact, in some cases, requiring an Internet certificate may deter users from accessing a server -- for example, a server that hosts a Web site. If you require an Internet certificate, users need to perform additional steps to obtain the certificate and set up client certificate authentication.

Note: By enabling the setting Accept TLS Site Certificates in the Location document, the Notes® client can ignore cross-certificates and server authentication entirely. The user can also choose to create cross-certificates on the fly when connecting to a server using TLS.

Securing messages with S/MIME

S/MIME is a protocol used by clients to sign mail messages and send encrypted mail messages over the Internet to users of mail applications that also support the S/MIME protocol -- for example, Microsoft Outlook Express®. The Notes® client uses the public key stored in the Internet certificate in Contacts, Domino® Directory, or LDAP directory to encrypt messages.

Encrypted mail messages cannot be read by unauthorized users while the message is in transit. Electronically signed messages show that the person who signed the message had access to the private key associated with the certificate stored in the signature.