Using dual Internet certificates for encryption and signatures

You use your Internet certificate to sign messages that you send. Other people use your Internet certificate to encrypt messages they are sending to you. This is similar to how HCL Notes® certificates work. However, if you have more than one Internet certificate, you may be able to use one Internet certificate for signing messages and another Internet certificate for people to use to encrypt mail messages.

About this task

Some CAs issue specific certificates for signing and issue others for encryption. Other CAs issue certificates that can be used for both signing and encryption.

Encryption

About this task

When a person encrypts mail using your Internet certificate, Notes® usually uses the most recently added certificate from the HCL Domino® Directory to encrypt the message. However, if the most recently added certificate is one that is only used for signing, Notes® looks for a certificate in the Domino® Directory that can be used for encryption.

Note that your administrator can also create a new Internet certificate for you, which could automatically become your default signing or encryption certificate because it was the most recently added Internet certificate.

Signing

About this task

If you add a new Internet certificate to your User ID, the new certificate automatically becomes the default signing certificate because it is the most recently added certificate. If the most recently added certificate is configured for encryption only, Notes® does not change your default signing certificate.

If you want to use a different certificate for signing, you can change which Internet certificate should be used as the default signing certificate at any time.

This topic describes how to:

  • Specify a default Internet certificate to use for signing mail
  • Obtain someone's Internet certificate for mail encryption

To specify a default Internet certificate to use for signing mail

Procedure

  1. Click File > Security > User Security (Macintosh OS X users: Notes > Security > User Security).
  2. Click Mail.
  3. Under "Security options that apply to Internet-style Notes® mail only", click the "Internet-style Mail Options" button, then click the "Certificate Configuration" button under "Certificate options."
  4. In the "Certificate configuration for Internet-style (S/MIME) Mail" dialog box, select the Internet certificate you want to use for electronic signatures.
  5. Select "Use this certificate as your default signing certificate." This option is only available if you have more than one Internet certificate available to be used for signing and authentication.

Results

Note: The default signing certificate is also the certificate used for TLS client authentication.
Tip: For an alternate way to change your default signing certificate through User Security, click Your Identity > Your Certificates, display your Internet certificates, select the certificate you want as your default signing certificate, click the "Advanced Details" button, and then select "Use this certificate as your default signing certificate."

To obtain someone's Internet certificate for mail encryption

About this task

If you want to send someone encrypted mail, but you don't have that person's Internet certificate, have them send you a message that is signed with their Internet certificate. When you receive the email, select the email, choose Actions > More > Add Sender to Contacts, and be sure to select Include X.509 certificates when encountered under the Advanced tab. Notes® creates a Contact document and adds any Internet certificates sent with the mail message to the Contact document. When you send an encrypted message to this recipient, Notes® extracts the Internet certificate for encryption from the Contact document and uses the recipient's certificate to encrypt the message.

If you want to enable someone to send you encrypted mail using your Internet certificate, have the recipient add you to their Contacts by following the same procedure as above.

Tip: See Certificates for people or services for information on searching for someone's Internet certificate.