Accessing servers using certificates

A certificate is an electronic stamp, like a stamp on a passport, which verifies to a server that you are who you say you are. Certificates are stored in your User ID. When you first receive your User ID from your administrator, it contains a Notes® certificate. You may decide to use Internet certificates as well. (You may see Internet certificates being referred to as X.509 certificates.)

You can view all of the certificates in your User ID by choosing File > Security > User Security (Macintosh OS X users: Notes > Security > User Security), and then clicking Your Identity > Your Certificates.

What are Notes certificates?

When you want to access any IBM® Domino® server, whether it be your mail server or an HR server in your company, you need a certificate to identify yourself to that server, and the server needs a certificate to identify you.

IBM Notes certificates in Notes Release 5 and later use hierarchical names, so the certificate authority's name is part of the certificate's name. (The certificate authority, or CA, is the entity that created your certificate and issued it to you.) For example, your certificate might look like this: Joe User/ACME, where Joe User is your name and ACME is your CA's name.

There are three types of Notes certificates you can have in your User ID:

  • Notes Multi-purpose certificates are used to identify you for most Notes purposes, such as logging in to Notes and accessing Notes databases on Domino servers. Your Notes multi-purpose certificates allow for strong cryptography -- for example, you receive mail protected with strong encryption when your Notes multi-purpose certificate is used to send you encrypted mail. The certificates contain a public key, which is used to sign and encrypt messages, the name of the CA that issued your certificate, the name of the person or server the certificate is issued to, the date the certificate was made, and the certificate's expiration date. Most users use Notes Multi-purpose certificates only.
  • Notes International certificates are used for encryption only. They allow anyone who can't use strong encryption to send you encrypted mail. They are generally not for your personal use. You always have an International certificate in your User ID, even if it is not used.

What are Internet certificates?

When you want to access a secure website that requires an SSL connection, such as www.verisign.com, where S is added before the HTTP that precedes the address, or you want to encrypt or sign mail that is sent over the Internet, you need an Internet certificate. Usually you store Internet certificates in a Web browser, such as Netscape or Internet Explorer; however, you can also store Internet certificates in your User ID to be used with the Notes browser or with Notes mail. Internet certificates often contain an email address. Because Internet certificate names are lengthy, Notes displays the email address in a short format as a way of showing who the certificate belongs to. If there isn't an email address available, Notes displays the most significant part of the Internet certificate name. For example, you could have an Internet certificate that looks similar to this: CN=ACME Internet CA/O=ACME/S=MASS/C=US. The portion of this certificate Notes displays is ACME Internet CA.

If you need to see the entire name associated with your personal Internet certificate, you can choose File > Security > User Security (Macintosh OS X users: Notes > Security > User Security, click Your Identity > Your Certificates, select Your Internet Certificates from the drop-down list, and click the Advanced Details button. To see details of other people's Internet certificates, see Certificates for people or services.

Your Internet certificates are identified by Notes as Internet Multi-purpose certificates. Within Notes, this type of certificate is used to access secure Web pages using the Notes browser, to send and receive secure mail using Internet-style Notes mail (S/MIME), and to secure connections to Internet services using Secure Socket layer (SSL) connections.

Note: The Internet certificate that is designated as the default signing certificate for SMIME email is indicated with a check mark in the icon next to the certificate name.
Note: Unlike Notes certificates, you can use one Internet certificate to sign messages and another Internet certificate for encryption. See Using dual Internet certificates for encryption and signatures for more information.