SECURITY

Creating an Internet cross-certificate for a CA
Before an IBM® Lotus® Domino®, client can authenticate servers or send secure S/MIME messages, the client must first create a cross-certificate for the CA server and store it in Contacts. This allows the Lotus Notes client to trust servers or clients that have certificates issued by that CA. The client uses a trusted root certificate to create the cross-certificate. Once the cross-certificate is created, the client no longer needs the trusted root certificate.

SSL server authentication for Internet clients other than Lotus Notes does not require a cross-certificate.

A Lotus Notes client can also create a cross-certificate for a server or client; however, this allows the Lotus Notes client to trust only that server or client. The Lotus Notes client does not then trust other servers and clients with certificates issued by a CA.

Note Best practice is to push trusted cross-certificates to Notes clients' Contacts rather than having users retrieve them from the Domino Directory themselves.

To create an Internet cross-certificate

1. Make sure the CA created a trusted root certificate in the IBM® Lotus® Domino® Directory.

2. Instruct clients to retrieve an Internet cross-certificate through the User Security dialog box.

For information on how Lotus Notes users can retrieve Internet cross-certificates, see Lotus Notes Help.

To view Internet cross-certificates

Lotus Notes users can view the Internet cross-certificates contained in Contacts. For information on how Lotus Notes users can see their Internet cross-certificates, see Lotus Notes Help.

Related topics