Creating new public keys

If you lost your User ID, or someone has taken it to access your data, you should change your password and create new public keys (a new IBM® Notes® multi-purpose certificate and a new Notes® international encryption certificate).

About this task

Your public key is in your certificate which is stored in your User ID and in the IBM® Domino® Directory, and it is used to encrypt data that is being sent to you. If a person has your User ID, the private key in your User ID can decrypt your encrypted data. Getting new public keys can protect the data that should be read by only you. Once you have new public keys, data encrypted with your old keys may still be vulnerable to being read by the person who stole your User ID. However, any new data encrypted for you will not be readable by anyone but you.

Your key is also used to create a digital signature when you sign mail or other items in Notes®. If your User ID is stolen you should get a new key so that Notes® can generate an updated digital signature for you. Then when you sign a message, others can verify your signature using your new public key which will prove that the message is from you and is not from the person who stole your User ID.

When you request new public keys, Notes® generates new public and private keys for you and sends the public key information in the mail message you send to your administrator. Your administrator then creates new certificates for you containing new public keys. (The new certificates each contain a new public key and a new expiration date. Everything else stays the same, such as your User name.) Your administrator sends the certificates containing the new public keys back to you so you can merge them into your User ID.

Note: If you are using a flat User ID, you cannot create new public keys. Instead you must request new Notes® flat certificates.

To request new public keys using the authentication protocol

Procedure

  1. Click File > Security > User Security (Macintosh OS X users: Notes > Security > User Security).
  2. Click Your Certificates > Other Actions > Create New Public Keys.
  3. Select "New Key Strength" from the drop-down list.
  4. To request the new certificate, select "Authentication protocol (recommended)."

Results

The next time you log in, or authenticate, with your home server, the keys are created and the certificate request is processed by the Domino® server. You will be prompted with the "Accept New ID Information" dialog box. Click OK to accept the new public keys. The new keys will be activated in your ID file the next time you authenticate after this.

To request new public keys using email

Procedure

  1. Click File > Security > User Security (Macintosh OS X users: Notes > Security > User Security).
  2. Click Your Certificates > Other Actions > Create New Public Keys.
  3. Select "New Key Strength" from the drop-down list.
  4. To request the new certificate, select "Mail protocol" from the drop-down list.
  5. If you have already submitted public keys, and you want to submit a new set you may have to click the "New Set" button. If you have already submitted public keys, and you want to resubmit them, you may have to click the "Resubmit" button.
  6. Click the Continue button.
  7. Enter the name of the Domino® administrator(s) in the To field to send your User ID with your new proposed public keys. (Click Address to choose from your Contacts.) If your administrator's name is available, it appears in the To field when you are connected to the network.
  8. Click Send.
  9. When your administrator sends you an email including your new certificates, open the email, and choose Actions > Accept Certificate.

Results

Note: When you begin the procedure to create new public keys, Notes® marks your new public keys that you are requesting as "pending keys" awaiting action by your administrator. After your administrator has certified the new keys and you receive and accept your new certificates, the pending keys become your current keys. Notes® saves your previous key set in your User ID, so you can still decrypt messages that were encrypted using your old public keys (these old keys are now marked as " archived keys"). You can view your saved keys by choosing File > Security > User Security (Macintosh OS X users: Notes > Security > User Security), clicking Your Identity > Your Certificates, then selecting "Your Notes® Saved Keys" from the drop-down list.

To request a new public key using removable media or another mail program

About this task

When you request a public key using removable media or another mail program, you need to create a safe copy of your User ID to send to your administrator. A safe copy of your User ID contains enough information for certifying your new keys, but not enough information so it can be used by a malicious user. You can use this method if you are not a Notes® mail user, or if you cannot successfully request new keys using Notes® mail.

Procedure

  1. Insert removable media into your workstation if using removable media to deliver your User ID to your administrator.
  2. Click File > Security > User Security (Macintosh OS X users: Notes > Security > User Security).
  3. Click Security Basics, and then click "Compromised Password" under "Your Login and Password Settings."
  4. Click "New Public Keys" in the "What to Do If Your ID Is Compromised" dialog box.
  5. If you have already submitted public keys, and you want to submit a new set you may have to click the "New Set" button. If you have already submitted public keys, and you want to resubmit them, you may have to click the "Resubmit" button.
  6. Click the "Export ID" button in the "New Public Keys Confirmation" dialog box.
  7. Change the directory to the floppy disk drive or to a directory that you can access from your other mail program in the "Enter Safe Copy ID File Name" dialog box.
  8. Change the directory to the removable media drive.
  9. Enter a file name for the safe copy of your User ID in the File Name field (Macintosh users: Save As field). The default is SAFE.ID.
  10. Click Save, and then close the "New Public Keys Confirmation" dialog box.
  11. Deliver the removable media to your Domino® administrator, or attach the safe User ID to an email and send it through another mail program.
  12. When you get your removable media back, you need to import your public key into your User ID.

To resubmit a new public key request to your administrator

About this task

After having sent an initial request for new public keys, If you haven't received an email from your administrator containing your new certificates, or if you need to resubmit a new request to your administrator, you can resubmit the same request you made to get a new public key. Rather than starting over with a brand new request for public keys (which generates brand new key sets), resubmitting your previous request might be useful if there's some chance that your administrator may have already begun to process your request. Resubmitting your request reminds the administrator to complete any administrative actions that may be in progress. If you instead submit a brand new request rather than resubmitting your previous request, you invalidate any work that may have been started already by your administrator.

Procedure

  1. Click File > Security > User Security (Macintosh OS X users: Notes > Security > User Security).
  2. Click Your Identity > Your Certificates.
  3. Select "Your Notes® Saved Keys" from the drop-down list.
  4. Select the pending key you want to resubmit to your administrator, and click Other Actions > Resubmit Request to Certify Pending Keys."
  5. If you are using Notes® mail, follow Steps 4--8 in To create a new public key.
  6. If you are using removable media or another mail program, follow Steps 5--12 in To request a new public key using removable media or another mail program.