Lotus Domino Administrator 8 Help - Adding an Internet certificate and cross-certificate for encrypted S/MIME messages

SECURITY

Adding an Internet certificate and cross-certificate for encrypted S/MIME messages
To send an S/MIME-encrypted message, the sender must have the recipient's Internet certificate in Contacts, an IBM® Lotus® Domino™ Directory, or LDAP directory. The sender must also have a cross-certificate issued for the recipient or for the certifier who issued the recipient's Internet certificate. If a cross-certificate is issued for a recipient's Internet certificate, only messages to that recipient can be encrypted. If a cross-certificate is issued to the recipient's CA, you can send encrypted messages to all recipients who have certificates issued by that CA, if you have the recipients' Internet certificates.

If the Internet certificate is stored in a Lotus Domino Directory in another domain or in an LDAP directory, the directory needs to be accessible using directory assistance.

To add an Internet certificate and cross-certificate for encrypted S/MIME messages

1. The recipient must send an S/MIME signed message to you.

For information on signing mail, see the topic "Encrypting and digitally signing e-mail messages" if you have installed IBM® Lotus® Notes® 8 Help. Or got to www.lotus.com/ldd/doc to download or view Lotus Notes 8 Help.

2. When you open the signed message, Lotus Notes asks if you want to add a cross-certificate if you do not already have a cross-certificate issued for either the author or the CA who issued the certificate to the author. Complete these fields and then click Cross Certify:

Field Enter

Certifier The certifier ID that is cross-certifying the certificate. By default, the certifier is your ID. If you have access, you can choose an ID that is higher in the hierarchical name scheme.

Server The registration server that holds the cross-certificate that is created. By default, it is stored locally in your Personal Address Book. Do not change this setting, since the cross-certificate must be stored in your Personal Address Book in order to validate the Internet certificate of the person to whom you are sending an encrypted message.

Subject name The certificate that is being cross-certified. You can choose to cross-certify the sender of the signed message or you can cross-certify the CA that issued the certificate to the sender. If a cross-certificate is issued to the sender of the signed message, you can encrypt messages to only that person. If a cross-certificate is issued to the sender's CA, you can send encrypted messages to anyone who has an Internet certificate issued by that CA and for whom you have an Internet certificate.

Subject alternate name list Alternate names attached to the ID, if any.

Expiration date The date that the cross-certificate expires.

3. To add the author's Internet certificate to Contacts, choose Tools - Add Sender to Address Book. Lotus Notes creates a Contact document for the person and adds an Internet certificate to the document.

For information on adding an Internet certificate and cross-certificate when users have dual certificates, see Dual Internet certificates for S/MIME encryption and signatures.

For information on adding an Internet certificate and cross-certificate when users have dual certificates, see the topic "Dual Internet certificates for S/MIME encryption and signatures" later in this chapter.

See also

Setting up Notes clients for S/MIME

Using SSL when setting up directory assistance for LDAP directories

Creating a Directory Assistance document for a remote LDAP directory

Glossary

Feedback on Help or Product Usability?

Help on Help

All Help Contents

Glossary

Field	Enter
Certifier	The certifier ID that is cross-certifying the certificate. By default, the certifier is your ID. If you have access, you can choose an ID that is higher in the hierarchical name scheme.
Server	The registration server that holds the cross-certificate that is created. By default, it is stored locally in your Personal Address Book. Do not change this setting, since the cross-certificate must be stored in your Personal Address Book in order to validate the Internet certificate of the person to whom you are sending an encrypted message.
Subject name	The certificate that is being cross-certified. You can choose to cross-certify the sender of the signed message or you can cross-certify the CA that issued the certificate to the sender. If a cross-certificate is issued to the sender of the signed message, you can encrypt messages to only that person. If a cross-certificate is issued to the sender's CA, you can send encrypted messages to anyone who has an Internet certificate issued by that CA and for whom you have an Internet certificate.
Subject alternate name list	Alternate names attached to the ID, if any.
Expiration date	The date that the cross-certificate expires.