• An Internet certificate issued by an IBM® Lotus® Domino® or third-party certifier.
• A trusted root certificate for a Lotus Domino or third-party certifier.
• (Lotus Notes clients only) A cross-certificate for the Lotus Domino or third-party certifier created from the trusted root certificate. The trusted root certificate is not necessary for Lotus Notes clients after you create the cross-certificate.
• Software, such as a Web browser or a Lotus Notes workstation, that supports the use of SSL.

To set up Notes clients with certificates issued by a Domino CA

The CA and client complete these steps.

1. Before issuing certificates, the CA must determine if Internet certificates should be created using the existing public and private keys from the Lotus Notes ID file or if the CA wants to issue certificates based on new keys generated from a browser certificate request. If clients use a browser that supports PKCS #12, clients can also import an existing Internet certificate into the Lotus Notes ID file. Depending on the environment, the administrator may choose to use a combination of these options for different users.

2. The CA adds a trusted root certificate to a Domino Directory that the client can access.

The client can also add a trusted root certificate to Contacts; however, adding a trusted root certificate simplifies the process of setting up Lotus Notes clients for SSL because the trusted root is accessible to many clients.

4. To create a certificate using the existing public and private keys in the Lotus Notes ID file:

1. The CA adds an Internet certificate to the Person document.
2. The client authenticates with the home server. Lotus Notes automatically adds the Internet certificate to the ID file.

1. The client requests the Internet certificate from the CA.
2. The CA approves the request, and Lotus Domino automatically adds the client's public key to the user's Person document.
3. The client merges the certificate into the ID file.
4. The CA adds an Internet certificate to the user's Person document.

1. The CA administrator creates a Person document for the Internet client.

2. The client obtains the trusted root certificate for the server's CA.

3. The client requests the Internet certificate from the CA.

4. The CA approves the request, and Lotus Domino automatically adds the client's public key to the user's Person document.

5. The client merges the certificate into the local file.

To set up Notes and Internet clients with certificates issued by a third-party CA

The CA and client complete these steps.

1. (Internet clients only) The CA administrator creates a Person document for the client.

2. Using any browser, the client follows the third-party CA's established procedure to request and merge the Internet certificate.

3. The Internet client follows the third-party CA's established procedure to merge the trusted root certificate for the CA.

4. The CA adds the client's public key to the Person document.

For example, to obtain an Internet certificate from VeriSign, visit the site "SSL Certificate Authority and Digital IDs" and follow the instructions provided.

Related topics

SSL Certificate Authority and Digital IDs
How users can obtain trusted certificates manually
Creating an Internet cross-certificate for a CA
Issuing Internet certificates in a Person document
Internet certificates for SSL and S/MIME
Signing an Internet client certificate and adding the certificate to the Domino Directory
Setting up Notes and Internet clients for SSL authentication
SSL and S/MIME for clients

Glossary