You do not need to complete these steps if you are using an IBM® Lotus® Notes® client and the CA issued certificates in the Person document of the Lotus Domino Directory. Lotus Notes automatically adds Internet certificates stored in the Person document to the Lotus Notes ID file when the user authenticates with the server.

The steps you follow to sign and add an Internet client certificate to the Lotus Domino Directory depend on whether the certificate is issued from a Lotus Domino server-based certification authority, a Lotus Domino 5 Certificate Authority, or a third-party CA.

Before you approve client certificates for signing:

• Make sure you understand your organization's policy on signing certificates. Sign client certificates for clients if the certificate requests comply with your organization's security policy.
• Make sure you have the Administration Process set up on the server. If you are signing a certificate for an Internet client, make sure you created a Person document.

For more information on creating Person documents for Internet clients, see Setting up a Person document for an Internet client using SSL client authentication.

Domino server-based certification authority

The steps are completed by the Lotus Domino CA. You must be a registration authority (RA) to approve client certificates for signing.

1. From the Lotus Domino Administrator, click Files, and open the Lotus Domino Certificate Requests application.

2. Transfer the certificate request into the Administration Requests database.

1. In the Certificate Requests database, open the Pending/Submitted Requests view. Press F9 to refresh the view if the client request does not appear there.
2. If the view shows that the request has been "Submitted to Administration Process," go to the next step. If it is still in the Pending state, highlight the request and click "Submit Selected Requests."
3. You should see a "Successfully submitted 1 request(s) to the Administration Process" message. Click OK.

1. Open the Administration Requests database (ADMIN4.NSF), open the Certification Authority Requests/Certificate Requests view, and find the new client request.
2. Open the request and verify the information in it.
3. Click Edit Request, and then click Approve Request or Reject Request. Press F9 to make sure that the request changes state, from New to Approved (or Rejected).

1. Close the Administration Requests database and return to the Certificate Requests database.
2. Open the Issued/Rejected Certificates view and locate the client request (you may need to refresh the view).

1. If you enabled the option for e-mail confirmation upon completion of the client request, then the once, the CA automatically notifies the requester to pick up the certificate. If it is denied, it sends the requester e-mail indicating that the request was rejected.
2. If you did not enable the option for e-mail confirmation upon completion of the client request, then you need to click "Send Confirmation Mail" to notify the requester of the outcome.

Domino 5 Certificate Authority

The Internet certificate request appears in the Client Certificate Requests view in the Lotus Domino Certificate Authority application. When the CA signs a certificate, the CA can automatically send e-mail to the client. This e-mail describes where to pick up the certificate and includes a pickup ID, which the client must use to identify the certificate during the pickup process. Lotus Domino automatically generates the pickup ID.

Note The steps below apply to signing client certificates issued by a Lotus Domino CA. The steps are completed by the Lotus Domino CA.

1. From the Lotus Domino Administrator, click Files, and open the Lotus Domino Certificate Authority application.

2. Click "Client Certificate Requests" in the left pane.

3. Open the request you want to sign.

4. Review the user information and distinguished name. Make sure the information provided complies with your organization's security policy.

5. Leave the option "Register certificate in the Domino Directory" selected to add the client's public key automatically to the Person document.

If you want to deny the request, complete step 6. Otherwise, go to step 7.

1. Enter a reason for the denied request.
2. If you do not want to send the person e-mail, deselect "Send a notification e-mail to the requester"; otherwise, the Lotus Domino Certificate Authority application sends the person e-mail indicating that you denied the request and the reason why you denied the request.
3. Click Deny.

1. Enter a validity period. For short-term projects, 90 days is typical; for ongoing projects, you can enter several years.
2. If you do not want to send the client e-mail indicating that the client can now pick up the certificate, deselect "Send a notification e-mail to the requester"; otherwise, the Lotus Domino Certificate Authority application sends an e-mail with a URL indicating the location to pick up the certificate.
3. Click Approve and enter the password for the CA key ring file. This places a request in the Administration Requests database. When the Administration Process next runs, it processes the request and adds the certificate to the client's Person document in the Lotus Domino Directory.
Note The client cannot use the certificate to authenticate against database ACLs until the Administration Process completes the request.

If a user obtains an Internet certificate from a third-party CA using the Lotus Notes client, the certificate is automatically added to their Person document.

If a user obtains an Internet certificate from a third-party CA through a browser, the certificate must then be added to their Person document.

For more information, see Publishing third-party CA client certificates in a Person record.

See also

Setting up Notes and Internet clients for SSL client authentication
Creating Internet certificates for Notes S/MIME clients
Setting up the Administration Process

Glossary