Certificates

A certificate is a unique digital signature that identifies a user or server. Server and user IDs contain one or more IBM® Notes® certificates. In addition, user IDs may contain one or more Internet certificates that identify users when they use SSL to connect to an Internet server or send a signed S/MIME mail message.

A certificate contains:

  • The name of the certifier that issued the certificate.
  • The name of the user or server to whom the certificate was issued.
  • A public key that is stored in both the IBM Domino® Directory and the ID file. Notes uses the public key to encrypt messages that are sent to the owner of the public key and to validate the ID owner's signature.
  • A digital signature.
  • The expiration date of the certificate.

Certificates are stored in ID files and in Person, Server, and Certifier documents in the Domino Directory. They are also referred to as Notes certified public keys.

Public keys are not secret. Any user may look up another user's public key and use it to send encrypted mail to or authenticate the user. It is important that someone looking up a public key learn it reliably since Domino uses it for identification. Users must be able to obtain the public key of the certifier that issued the certificate before they can authenticate the certificate's owner. If a user has a certificate issued by the same certifier as another user or server, the first user can verify the public key for the certificate and then reliably know the public key associated with the server or user name. If a user doesn't have a certificate issued by the same certifier, the user needs a cross-certificate for authentication.

When you register users and servers, Domino automatically creates a Notes certificate for each user and server ID. In addition, you can use a Domino or third-party certificate authority (CA) to create Internet certificates for user IDs. Domino uses the x.509 certificate format to create Internet certificates.

Notes certificates have expiration dates. Therefore, you must recertify Notes IDs when their expiration dates approach. In addition, if a user or server name changes, you must recertify the corresponding Notes ID so that a new certificate will bind the public key to the new name.

Changing a name on a user ID may also affect Internet certificates. For example, a user who has changed the name on a user ID may receive warning messages when sending signed S/MIME mail, warning the user that recipients of the message may receive a signature by a name that isn't on the original certificate used for signing.