Creating a cross certificate on demand

In the following situations you may be prompted to create a cross certificate.

  • When you receive a digitally signed mail message, HCL Notes® checks your Contacts for a cross certificate that indicates that the signing certificate included with the message is trusted
  • Notes® checks to see if you trust certificates issued to servers when you access servers
  • When you are using the Notes® browser to view a secure Web page and you don't trust the website's certificate

If Notes® cannot find a cross certificate, you are prompted to create a cross certificate on demand.

You can create a cross certificate for the certificate authority (CA), which indicates trust for all people and servers who have a certificate issued by that CA, or you can create a cross certificate for the individual certificate you have encountered.

Creating a cross certificate is equivalent to marking the certificate as trusted in User Security > Identity of Others (see Certificates for people or services). You can always choose to trust certificates through User Security if you do not want to make the decision to trust a certificate at this time.

Do one of the following in the "Create Cross Certificate" dialog box:

  • Click Yes to automatically cross-certify the Notes® root CA of the User or server ID, for example /ACME, and put the cross certificate in your Contacts. Note that you can only access a server if that server has cross-certified you or your organization, or if the server allows anonymous access. To cross certify with the certificate for the Notes® organizational unit CA instead of the certificate for the Notes® root CA, click the Advanced button, and choose the organization name in the "Subject name" list, for example /ABC/ACME.When you are prompted to create an Internet cross certificate, the default is to cross certify the individual or website's certificate by clicking Yes. To cross certify the organizational unit CA or root CA level, you must click the Advanced button. You should think very carefully before cross certifying an Internet CA.
    Note: To avoid the possibility of cross certifying an impostor, call someone trustworthy from the named organization and find out the organization public key.
  • Click No to prevent creation of a cross certificate. You then see a message offering you unauthenticated access to the server or the ability to read the signed message without verifying the signature. The warning message appears each time you connect to a server in that organization or read a signed message from a user in that organization. If you click No for a cross certificate when you have been attempting to access a secure Web page with the Notes® browser, the page is not loaded and the Web page that is shown gives instructions on how to fix the problem later in User Security.