IBM Support

Creating new certificates for a Notes ID vault

Flashes (Alerts)


Abstract

Vault trust certificates and password reset certificates that are required for a Notes ID vault expire after 10 years. You can check if these certificates are due to expire and create new ones if they are.

Content

Creating a new Vault Trust Certificate

A Vault Trust Certificate expires after 10 years. When a Vault Trust Certificate expires, attempts to upload or download IDs to or  from the vault generate the following error: Not a valid ID or the ID is corrupted. Notes users can still log on to a server if they have local ID files.

Important:  Before you continue, make sure you have access to the cert.id file and password for the organization certifier used to generate the Vault Trust Certificate.

I  Determine the Vault Trust Certificate expiration date

If you created your ID vault when the feature was first introduced in Domino 8.5, the associated Vault Trust Certificate may be due to expire. To see if the certificate is due to expire:

  1. From the Domino Administrator, connect to the administration server for your Domino directory.
  2. From the Configuration tab, select Security > Certificates > Certificates.
  3. Expand Vault Trust Certificates.
  4. Expand the Organization.
  5. Open the Vault Trust Certificate and click Examine Notes Certificate(s)
  6. Select either certificate listed and look at the Expires value.
II Back up and remove the Vault Trust Certificate
If the Vault Trust Certificate is due to expire, back it up and then remove it as follows:
  1. From the Domino Administrator, connect to the administration server for your Domino directory.
  2. From the Configuration tab, select Security > Certificates > Certificates.
  3. Expand Vault Trust Certificates.
  4. Select the Vault Trust Certificate that is expiring. Copy and paste it into a dummy Domino directory database to make a backup.
  5. Select Security > ID Vaults.
  6. Select the ID Vault document.
  7. Select Tools > ID Vaults - Manage to open the Manage Notes ID vault tool.
  8. Click Next.
  9. Select the task Add or remove organizations that trust the vault and click Next.
  10. Click Add or Remove.
  11. In the Organizations that trust the ID vault box, select the organization, and click Remove.
  12. Click OK. The organization is no longer listed in the Organizations box. Click Next.image-20190326154933-4
  13. At the prompt Vault trust certificates will be removed from the following organizations, click Configure.
  14. Click Done.


III Create a new Vault Trust Certificate

After you remove the Vault Trust Certificate, create a new one as follows:

  1. From the Domino Administrator, connect to the administration server for your Domino directory.
  2. From the Configuration tab, select Security > ID Vaults.
  3. Select the ID Vault document.
  4. Select Tools > ID Vaults - Manage to open the Manage Notes ID vault tool.
  5. Click Next.
  6. Select the task Add or remove organizations that trust the vault and click Next.
  7. Click Add or Remove.
  8. In the Available Organizations box, select the organization to issue the Vault Trust Certificate, click Add and click OK.
  9. The organization is listed in the Organizations box. Click Next.image-20190326154645-3
  10. At the prompt Vault trust certificates will be added to the following organizations, click Configure.
  11. Select the cert.id file for the organization and provide the password.
  12. Click Done.

Creating a new Password Reset Certificate

A Password Reset Certificate expires after 10 years. When someone with password reset authority tries to reset a password when their certificate has expired, the error Server error: the Address Book does not contain a cross certificate capable of validating the public key is shown.

Important:  Before you continue, make sure you have access to the cert.id file and password for the organization used to generate the Password Reset Certificate.

I  Determine the Password Reset Certificate expiration date

If you created your ID vault when the feature was first introduced in Domino 8.5, the associated Password Reset Certificates may be due to expire. To see if a certificate is due to expire:

  1. From the Domino Administrator, connect to the administration server for your Domino directory.
  2. From the Configuration tab, select Security > Certificates > Certificates.
  3. Expand Password Reset Certificates.
  4. Open a Password Reset Certificate and click Examine Notes Certificate(s)
  5. Select either certificate listed and look at the Expires value.

II Back up and remove a Password Reset Certificate
If a Password Reset Certificate is due to expire, remove it as follows:

  1. From the Domino Administrator, connect to the administration server for your Domino directory.
  2. From the Configuration tab, select Security > Certificates > Certificates.
  3. Expand Password Reset Certificates.
  4. Select the Password Reset Certificate that is expiring. Copy and paste it into a dummy Domino directory database to make a backup.
  5. Select Security > ID Vaults.
  6. Select the ID Vault document.
  7. Select Tools > ID Vaults - Manage to open the Manage Notes ID vault tool.
  8. Click Next.
  9. Select Add or remove password reset authorities and click Next.
  10. In the Password authority by organization box, select the name issued the certificate and click Remove. image-20190326160151-6
  11. Click Next.
  12. At the prompt The following password reset authorities will be removed, click Configure.
  13. Click Done.

III Creating a new Password Reset Certificate

After you remove a Password Reset Certificate, create a new one as follows:

  1. From the Domino Administrator, connect to the administration server for your Domino directory.
  2. From the Configuration tab, select Security > ID Vaults.
  3. Select the ID Vault document.
  4. Select Tools > ID Vaults - Manage to open the Manage Notes ID vault tool.
  5. Click Next.
  6. Select Add or remove password reset authorities and click Next.
  7. In the Available users, groups and servers box, select the name or names from the directory to issue new certificates to.
  8. Click Add to add the names to the organization that certifies them in the Password reset authority by organization box. image-20190327161254-3
  9. Click Next.  
  10. At the prompt The following password reset authorities will be added, click Configure.
  11. Select the cert.id file for the organization to issue the certificate and provide the password.
  12. Click Done.

Document information

More support for: IBM Domino

Software version: 8.5, 9.0, 9.0.1, 10.0, 10.0.1

Operating system(s): Platform Independent

Reference #: 0878496

Modified date: 27 March 2019