Using cross-certificates to access servers and send secure S/MIME messages

Domino® uses both Notes® and Internet cross-certificates. Notes cross-certificates allow users in different hierarchically-certified organizations to access servers and to receive signed mail messages. Internet cross-certificates allow users to receive signed mail messages and send encrypted mail messages.

Notes cross-certificates

To allow users and servers from the different hierarchically-certified organizations to access servers in the other organization, and to verify the digital signature of a user from another organization, you use cross-certificates. Domino servers store cross-certificates in the Domino Directory. To access Domino servers, Notes clients obtain cross-certificates for those servers and store them in their Contacts. These cross-certificates can be used only by the user to whom they are issued.

For example, if Alan Jones/Sales/East/Renovations wants to access the Support/Seascape server, he needs a cross-certificate from /Seascape, and the Support/Seascape server needs a cross-certificate for /Sales/East/Renovations. When Alan tries to authenticate with the Support/Seascape server, it checks for the cross-certificate in Alan's Contacts. If Support/Seascape finds a valid cross-certificate, the server then checks whether Alan is allowed to access the server.

Cross-certification can occur at various levels of an organization. For example, to allow every user within one organization to authenticate with every server in another, each user has a cross-certificate for the other's organization certifier in the Contacts file. Servers in each organization have a cross-certificate for the other's organization certifier in the Domino Directory. Cross-certification can also occur at the level of an individual user or server ID. For example, to allow a single user to authenticate with any server in another organizational unit or verify a digital signature from a user in that organizational unit, the user ID needs a cross-certificate for the organizational unit certifier in the other company, and that organizational unit certifier needs a cross-certificate for the user ID.

Two-way cross-certification does not need to be symmetric. For example, one organization can have a cross-certificate for an organizational unit certifier and another organization can have a cross-certificate for an organization certifier.

If you have cross-certificates for an organization or organizational unit certifier, set up server access restrictions to prevent the other organization from accessing specific servers that store confidential information. To allow your organization to access servers in another organization but prevent that organization from accessing your servers, exchange cross-certificates as required, but then set up server access lists on all servers to prevent access by the other organization.

Internet cross-certificates

An Internet cross-certificate is a certificate that validates the identity of a user or server. An Internet cross-certificate ensures the recipient of an encrypted S/MIME message that the sender's certificate can be trusted and that the certificate used to sign an S/MIME message is valid. It also validates the identity of a server when a Notes client uses SSL to access an Internet server.

An Internet cross-certificate is stored in a Certificate document in the user's Contacts and can be used only by the user to whom it is issued. An Internet cross-certificate can be issued for a leaf certificate -- that is, a certificate issued to a user or server by a CA -- or the CA itself. Creating a cross-certificate for a leaf certificate indicates trust for only the owner of the certificate -- for example, the sender of the signed message or recipient of an encrypted message. A cross-certificate for a CA indicates trust for all owners who have a certificate issued by that CA. If you cross-certify a CA, you trust the CA to issue certificates to users and servers not as high in the hierarchical name tree. For example, after cross-certifying Sales/ABC, you trust Sales/ABC to issue a certificate to Fred/Sales/ABC. Alternatively, after creating a cross-certificate for Fred/Sales/ABC, you trust only Fred/Sales/ABC.