SECURITY
Lotus Notes clients can also obtain a trusted root certificate and cross-certificate to gain access to the server; however, adding the trusted root certificate to the Lotus Domino Directory simplifies the process of setting up server authentication for users.
Note Best practice is to push trusted certificates to Notes clients' Contacts rather than having users take steps to obtain trusted certificates themselves.
Note A users can accept certificates automatically, without having to obtain the roots or cross-certificates, by enabling the option "Accept site certificates" in the location document for the Lotus Notes client. However, accepting certificates from unknown servers is a security risk. If a user doesn't know the sources of the certificates being accepted, it is possible to accept certificates from malicious sources.
To obtain a trusted root certificate for a Notes client
1. Make sure that you have a trusted root certificate for the CA. In the Lotus Domino Administrator, click Configuration - Certificates - Certificates, and view the certificate in the Internet Certifiers category.
2. Instruct clients to complete the procedure "Creating an Internet cross-certificate for a CA."
To obtain a trusted root certificate for an Internet client
You can use the following procedures to obtain a trusted root certificate for an Internet client.
If the trusted root certificate is for a Lotus Domino CA, the Internet client performs these steps:
1. Browse to the Domino Certificate Requests or Certificate Authority (Domino 5) application.
2. Select "Accept This Authority In Your Browser."
Note If you use an SSL connection to browse to the application, the server prompts you to accept the site certificate. Check the CA properties to make sure that the certificate that is presented is from a source you trust before accepting the certificate as a trusted root.
If the trusted root certificate is for a third-party CA, the Internet client follows the third-party CA's established procedure to merge the trusted root certificate for the CA. If both the client and server have certificates issued from the CA or already have a CA in common, then this step is not necessary.
Related topics