Customizing a Notes install kit to set certifier and trust defaults
You can configure the deploy.nsf application to specify administrative trust settings using an Export option in the server's Domino® Directory (names.nsf) to add those settings to the install kit's deploy.nsf application.
About this task
The administrative trust defaults in deploy.nsf and the Internet certifiers in the install kit's Java™ keystore are processed to define trusted certifiers. The keystore is used directly during install, but is ignored at runtime. The deploy.nsf is processed at startup to add trust certifiers to the user's Contacts application (names.nsf) to be used at runtime.
You can install the deploy.nsf application as part of a Notes® client install kit.
You cannot manually edit or delete certificates
in the deploy.nsf. You can only make changes
to the installed deploy.nsf only by exporting
from the server's Domino Directory
to a new deploy.nsf and then overwriting the
installed deploy.nsf with the new file. The notes.ini statement FORCE_PROCESS_DEPLOY_NSF=1
ensures
that the deploy.nsf application is processed.
Alternatively, you can simply use Domino policy.
If there are certificates listed in the installed deploy.nsf and
you overwrite the with a new deploy.nsf, any
certificates that are not in the new deploy.nsf are
deleted. If you are going to use this technique, maintain a central
and cumulative deploy.nsf so as not to unintentionally
delete certificates from a user's system.
Pushing administrative trust settings to users by customizing the install kit enables you to do the following:
- Add third party certificates to the Java keystore, which allows signed features/plugins added to the install kit to be trusted at install time. The keystore can be modified manually using keytool, but this method is simpler and leverages existing infrastructure.
- Push Internet Certifiers, Internet Cross Certificates, and Notes Cross Certificates to the user's Contacts application (names.nsf), so that when user install new features/plugin at runtime, or access new applications, they will not be prompted for trust decisions.
You can alternatively push administrative trust settings to users from Domino policy, which is the recommended method, to centrally manage and change settings as needed.
To add administrative trust settings to an install kit without pushing those settings from the Keys and Certificate tab on the Security policy page, proceed as follows.