Examples of cross-certification
There are several different ways to cross-certify with another server or individual.
To authenticate with all servers in another organization
This example describes what the Renovations company and the ABC company do to allow all users and servers in both organizations to authenticate.
- The Renovations organization certifier (/Renovations) obtains a cross-certificate for the ABC organization certifier (/ABC) and stores it in the Renovations Domino® Directory.
- The ABC organization certifier (/ABC) obtains a cross-certificate for the Renovations organization certifier (/Renovations) and stores it in ABC's Domino® Directory.
To authenticate with a specific server in another organization
The Renovations company wants to let Seascape users who have the hierarchical certification AppDevelopment/Seascape to access their customer support server, CSSUPPORT/East/Renovations.
- The Renovations organizational unit certifier (/East/Renovations) has a cross-certificate for the Seascape organizational unit certifier (/AppDevelopment/Seascape) and stores it in the Renovations Domino® Directory.
- The Seascape organizational unit certifier (/AppDevelopment/Seascape) has a cross-certificate for the Renovations organizational unit certifier (/East/Renovations) and stores it in Seascape's Domino® Directory.
This cross-certification enables Kelly Jones/AppDevelopment/Seascape and Jonathan Moutal/AppDevelopment/Seascape to authenticate with the server CSSUPPORT/East/Renovations. However, it does not allow these users to authenticate with the Renovations server Mail-W/West/Renovations.
To send signed S/MIME messages
Alan Jones has an Internet certificate issued from the Renovations CA, and Dave Lawson has an Internet certificate issued from the ABC CA. If Alan wants to send Dave an encrypted S/MIME message and Dave wants to send Alan an encrypted S/MIME message:
- Alan has a trusted cross-certificate for ABC and stores it in his Contacts.
- Dave has a trusted cross-certificate for Renovations and stores it in his Contacts.
Both Dave and Alan can now also send encrypted S/MIME messages to each other.