Dual Internet certificates for S/MIME encryption and signatures

You can add two Internet certificates to your Notes® ID file and then use one certificate for S/MIME encryption and another for S/MIME signatures and SSL client authentication. Doing so lets you maintain separate public and private key pairs for encryption and electronic signatures and SSL client authentication.

Adding multiple certificates

To add multiple Internet certificates to your Notes® ID file when the certificates are issued by different CAs, follow the procedure provided by the CA. If the Internet certificates you want to add are issued by the same CA, add one of the certificates by following the CA's procedure and add the second certificate by importing it into the ID file. If you try to add multiple Internet certificates issued by the same CA and you do not import the certificate, Notes® uses the last certificate added to the ID file for S/MIME encryption and signatures.

For information on importing certificates, see Notes® help.

Specifying the default signing certificate

Once the Internet certificates are added to the ID file, you can specify a default certificate to use for S/MIME signatures. You specify this certificate in the User Security dialog box. If the Internet certificate you select is used for both signatures and encryption, then Notes® uses this certificate as the default for signatures and encryption. Otherwise, Notes® uses the Internet certificate you specify for signatures and the last Internet certificate added to the Notes® ID file for encryption. The default signing certificate is also the certificate used for SSL client authentication.

For information on specifying a default signing certificate, see Notes® help.

Adding an Internet certificate to Contacts

If you send a signed message and you have two different certificates for signatures and encryption, Notes® sends the recipient the default Internet certificates used for encryption and signatures. When the recipient chooses Tools > Add Sender to Contacts, Notes® adds a Contact document and adds the Internet certificates for encryption and signatures to the Contact document. When you send an encrypted message, Notes® extracts only the Internet certificate for encryption from the Contact document.

Adding a cross-certificate on demand

When a recipient receives a signed message, Notes® checks Contacts for a cross-certificate that indicates that the signing certificate included with the message is trusted. If the cross-certificate is not present, Notes® displays a dialog box that allows the recipient to cross-certify "on demand." You can create a cross-certificate to either the leaf certificate or to the CA. Creating a cross-certificate to a leaf certificate indicates trust for only the owner of the certificate, in this case the sender of the signed message. A cross-certificate to a CA indicates trust for all people who have a certificate issued by that CA.

When you cross-certify on demand, Notes® creates a cross-certificate for the signing certificate, but does not create a cross-certificate for the encryption certificate. However, if the signing and encryption certificates are issued from the same CA and you create a cross-certificate for the CA, the cross-certificate created for the signing certificate can also be used to validate the encryption certificate. If the signing and encryption certificates are issued from different CAs, then you must create a cross-certificate for the CA that issued the encryption certificate before you can send an encrypted message.