IBM Support

How to renew Domino Id vault trust certificates?

Question/Answer


Question

IBM Domino server ID Vault trust certificate expires every 10 years by default, it would be  then necessary to renew the vault trust certificates to carry out all the ID Vault administration tasks. How can this be accomplished?

Cause

IBM Domino ID Vault trust certificates expire every 10 years by default from the date of vault creation or vault trust certificate renewal date. 
Once the vault trust certificate is expired, the password reset authority will not be able to download any Id from the vault nor be able to do a password reset.

You would receive the errors  " Server error: the Address Book does not contain a cross certificate capable of validating the public key" & "This is not a valid ID or the ID has been corrupted" respectively.

In a cross certified domino environment we do see below error in log.nsf:
" Invalid Vault Trust certificate chain from '/Acme' to '/Acme_IdVault': The Address Book does not contain a cross certificate capable of validating the public key."

" Missing or invalid Vault Trust certificate from 'Domino User/Acme' to '/Acme_IdVault': The Address Book does not contain a cross certificate capable of validating the public key."

Here "/Acme" is the certifier which has trusted the Id Vault & "/Acme_IdVault"is the Id Vault name.
 

Answer

1. Open domino directory(names.nsf) on the administration server or the primary vault  server on which the ID Vault database  is hosted  from Domino Administrator Client .

2. Please check certificate expiration date for the ID Vault trust certificate & password reset certificates. If both shows as expired, then follow the below steps else choose the one which is expired.

3. Go to Configuration->Security->Certificates-> In this view you will find the "Vault Trust Certificate" & the "Password Reset Certificates".

image

4. Copy those two documents and back it up (May be you can create a new blank copy of the names.nsf and paste the two documents for back up purpose)

5. Proceed to delete those 2 certificates by hitting "delete" key followed by "F9" & "Enter" key.

6. Go back to the View  Configuration->Security->ID Vaults-> From the right hand side  panel please click on the "Manage" button to run the ID Vault Wizard.

image

7. Click next and select "Add or remove organizations that trust the certificate" & "Add or remove password reset authorities" and  again click  on next.

image

8. Add the Trusted Vault Organization(Certifier) with which it was trusted earlier:

image

9. Proceed to add the "Password Reset Authority" Id's to it.

image

10. Below window will pop up and you need to proceed by hitting the "Configure" Button.

image

11. Configuration process  will ask you to select the certifier id which is used to trust the vault. You have to select  the certifier and provide the password.

image

12. Post giving the certifier password the Vault wizard configuration will complete with a display message as below:

image

13. Go back  to the names.nsf and look at the Configuration->Security->Certificates . You will see the newly  created cross certificate entries,  which were removed in the first step. Those new certificate entries will have a new expiration date  set for next 10 Years.

image

Notes:
- Ensure to check what is your Vault trust certifier and you have the corresponding certifier Id & password available to execute the mentioned action.
- Ensure to list out the current Password Reset Authorities , since the  renewal process  will ask you to to re-add them again.


Document information

More support for: IBM Domino

Component: Domino Server

Software version: All Versions

Operating system(s): AIX, IBM i, Linux, Windows

Reference #: 0878126

Modified date: 27 March 2019