SECURING
About this task
Notes clients can also obtain a trusted root certificate and cross-certificate to gain access to the server; however, adding the trusted root certificate to the Domino Directory simplifies the process of setting up server authentication for users.
Best practice is to push trusted certificates to Notes clients' Contacts rather than having users take steps to obtain trusted certificates themselves.
Note: A user can accept certificates automatically, without having to obtain the roots or cross-certificates, by enabling the option Accept site certificates in the Location document for the Notes client. However, accepting certificates from unknown servers is a security risk. If a user doesn't know the sources of the certificates being accepted, it is possible to accept certificates from malicious sources.
To obtain a trusted root certificate for a Notes client
Procedure
1. Make sure that you have a trusted root certificate for the CA. In the Domino Administrator, select Configuration -> Certificates -> Certificates, and view the certificate in the Internet Certifiers category.
2. Instruct clients to retrieve an Internet cross-certificate through the User Security dialog box.
To obtain a trusted root certificate for an Internet client
You can obtain a trusted root certificate for an Internet client. If the trusted root certificate is for a Domino CA, the Internet client performs these steps:
1. Browse to the Domino Certificate Requests or Certificate Authority application.
2. Select Accept This Authority In Your Browser.
Results
Note: If you use an SSL connection to browse to the application, the server prompts you to accept the site certificate. Check the CA properties to make sure that the certificate that is presented is from a source you trust before accepting the certificate as a trusted root.
If the trusted root certificate is for a third-party CA, the Internet client follows the third-party CA's established procedure to merge the trusted root certificate for the CA. If both the client and server have certificates issued from the CA or already have a CA in common, then this step is not necessary.
Related tasks Pushing trusted certificates to Notes clients Creating an Internet cross-certificate for a CA