Certifier requirements in a hybrid environment

It is important to understand the following certifier requirements when planning a hybrid environment.

  • The OU certifier you provide for your service mail servers must be under the same organization certifier as the passthru servers, directory synchronization servers, and primary mail hub servers. It can be at any level below the organization certifier. This OU certifier must be unique and used only for the service mail servers; the OU certifier cannot be used on-premises.
  • The OU certifier ID can have just one password.
  • It is important that you choose and create your service mail server OU certifier carefully. After you upload the OU certifier ID to the service, you cannot change to an ID with a different certifier name.
  • The certifier used for service users must trust the service mail server OU certifier, and vice versa. If any users are certified under a different organization than the OU certifier, you must create the required cross-certificates to establish trust. The cross-certificates must be replicated to the directory synchronization servers.
  • The organization (O) certifier can have just one password. When you later use the SmartCloud Notes Administration interface to provide the OU certifier file and to configure Passthru servers, you're prompted for the O certifier password and you can provide one password only. If your current O certifier ID has multiple passwords, remove all but one. For information on doing so, see the topic Assigning multiple passwords to server and server IDs.
  • The organization (O) certifier must be at least three characters. The O certifier must be unique to a company; two companies in the service cannot use the same O certifier name because of the multi-tenant messaging architecture of a cloud environment. The use of a generic O certifier name is discouraged.
  • The names of the on-premises passthru servers, directory synchronization servers, and primary mail hub servers must all be under one organization certifier. Cross-certificates cannot be used to establish trust between these servers. It is acceptable to name these servers under organizational units (OUs) below the organization certifier.
  • Though the passthru servers must be under the same organization certifier as the directory synchronization and primary mail hub servers, they should be in a separate Domino® domain from those servers. You may be accustomed to using the same name for a Domino domain and an organization certifier, but there is no relationship between the two names. So it is acceptable to certify the passthru servers under your main corporate certifier (often the name of your company) but name the domain of the passthru servers something else.

For example, the company Renovations initially has one, top-level organization certifier, /Renovations. They create the on-premises passthru servers, directory synchronization servers, and mail hub servers under this certifier, for example: Passthru/Renovations, Dirhub/Renovations, Mailhub/Renovations. The passthru servers are in a unique Domino domain.

They also create the OU certifier /SCN/Renovations to use as their service mail server certifier. This OU certifier is under the same organization certifier as the passthru, directory synchronization, and mailhub servers, as required.

The company then purchases a second company that uses a different top-level organization certifier, /Acme. They create cross-certificates to establish trust between the two certifiers.

For more information on certifiers and cross-certificates, see the Domino documentation.