Creating an Internet cross-certificate for a CA

Before an IBM® Domino® client can authenticate servers or send secure S/MIME messages, the client must first create a cross-certificate for the CA server and store it in Contacts. This allows the IBM® Notes® client to trust servers or clients that have certificates issued by that CA.

About this task

The client uses a trusted root certificate to create the cross-certificate. Once the cross-certificate is created, the client no longer needs the trusted root certificate.

SSL server authentication for Internet clients other than Notes does not require a cross-certificate.

A Notes client can also create a cross-certificate for a server or client; however, this allows the Notes client to trust only that server or client. The Notes client does not then trust other servers and clients with certificates issued by a CA.

Note: Best practice is to push trusted cross-certificates to Notes clients' Contacts rather than having users retrieve them from the Domino Directory themselves.


  1. Make sure the CA created a trusted root certificate in the Domino Directory.
  2. Instruct clients to retrieve an Internet cross-certificate through the User Security dialog box.


Notes users can view the Internet cross-certificates contained in Contacts. For information on how Notes users can see and retrieve their Internet cross-certificates, see Notes Help.