SECURING


How users can obtain trusted certificates manually
The copy of the CA's certificate is called a trusted root certificate. After obtaining the trusted root certificate and -- if you are using a Notes® client -- an Internet cross-certificate for the root certificate, the client will trust the CA and by extension, any certificates issued by this CA. If you are setting up server authentication for an Internet client, you add this trusted root to a local file. If you are setting up server authentication for a Notes client, you add this trusted root to a Domino® Directory that users can access to generate a cross-certificate in their Contacts.

About this task

Notes clients can also obtain a trusted root certificate and cross-certificate to gain access to the server; however, adding the trusted root certificate to the Domino Directory simplifies the process of setting up server authentication for users.

Best practice is to push trusted certificates to Notes clients' Contacts rather than having users take steps to obtain trusted certificates themselves.

Note: A user can accept certificates automatically, without having to obtain the roots or cross-certificates, by enabling the option Accept site certificates in the Location document for the Notes client. However, accepting certificates from unknown servers is a security risk. If a user doesn't know the sources of the certificates being accepted, it is possible to accept certificates from malicious sources.

To obtain a trusted root certificate for a Notes client

Procedure

1. Make sure that you have a trusted root certificate for the CA. In the Domino Administrator, select Configuration -> Certificates -> Certificates, and view the certificate in the Internet Certifiers category.

2. Instruct clients to retrieve an Internet cross-certificate through the User Security dialog box.

To obtain a trusted root certificate for an Internet client

About this task

You can obtain a trusted root certificate for an Internet client. If the trusted root certificate is for a Domino CA, the Internet client performs these steps:

Procedure

1. Browse to the Domino Certificate Requests or Certificate Authority application.

2. Select Accept This Authority In Your Browser.

Results

Note: If you use an SSL connection to browse to the application, the server prompts you to accept the site certificate. Check the CA properties to make sure that the certificate that is presented is from a source you trust before accepting the certificate as a trusted root.

If the trusted root certificate is for a third-party CA, the Internet client follows the third-party CA's established procedure to merge the trusted root certificate for the CA. If both the client and server have certificates issued from the CA or already have a CA in common, then this step is not necessary.

Related tasks
Pushing trusted certificates to Notes clients
Creating an Internet cross-certificate for a CA