Domino/Notes Version: 6.5.3 Add-on Product (if appropriate, e.g. Verse / Traveler / Nomad / Domino REST API): Its Version: Operating System: Windows server Client (Notes, Nomad Web, Nomad Mobile, Android/iOS, browser version): Notes
Problem/Query:
Domino 6.5.3 …
root cert.id expiring soon. After re-certifying cert.id, do all other (certifier/user) id’s need to be recertified as well?
If so, can users after this cert.id re-certification still log on to Lotus Notes client and acces app db’s with their ‘old’ id for a certain period until their user.id is re-certified?
Ideally, it is not required to recertify all user IDs or server IDs. New root certificate expiration date comes to user IDs/Server IDs/OU IDs upon next authentication. Sometimes, it is required to restart server to get the new expiration date in server IDs.
I strongly recommend to upgrade your server as your server version 6.5.3 is very old one.
thanks for your info Niraj!
When you state “Ideally”, what do you mean exactly? What are the ‘ideal’ conditions and when would it be required anyway to recertify the other IDs?
Regarding your concern,
For notes user, Ideally, when user access the Domino server from the notes client, the new expiration date of the certificate ID should update into user’s Notes ID file, However, sometime, the user’s Notes ID may fail to update with new expiration date due to some of the following reasons.
• Public key mismatch
• Key strength mismatch or
Please find the following HCL Support article for possible reason of Certifier ID expiration date does not update on Notes user ID or Server ID file.
In this scenario, you will have to manually recertify the user’s Notes ID file by using procedure given in below HCL Support link.
Please refer the following HCL Support link for procedure of recertifying user ID
I hope the above information will help in answering your concern.
Thanks for all the info till now, I must say, great support on this forum!
I still have a few questions/remarks after reading the provided links:
1/
"When you recertify a top-level certifier with an about-to-expire certificate, you need to do the following before the certificate reaches its expiration date:
Recertify and restart each server that has its certificate chain under that top-level organization in order to pull the recertified top-level certificate from the directory into its local server ID file.
Recertify each OU certifier under the top-level certifier so that the certificate chain in its ID file is updated with the newly recertified top-level certifier certificate from the directory."
Ideally though, you said this is not the case and OU certifier IDs and SERVER IDs do NOT need to be recertified, right?
2/ We have 2 servers (1 ‘mail’ server and 1 ‘application’ server): on which one should I do the re-certification procedure?
How do I know which one is the “administration server of the Domain”? Or does it not really matter…?
Check your names.nsf → ACL → Advanced Tab to know Administration server for your domino directory. You can extend the root certificate expiration date on that server. Generally the first server of the domain is the administration server.
Take a backup of root certifier ID file before performing this activity.
Once the root certificate is extended, there’s no need to recertify users/servers. As I mentioned before, upon next authentication, new expiration date of root certificate will be updated in respective ID files. For servers, it gets updated after restart.
Hope this helps.
Please also work on earlier given recommendation about server upgrade to a supported release to get benefits of new features.
Hello,
Meanwhile we’ve recertified the cert.id. The user id files didn’t automatically get updated however, so we’ve recertified all individual users and after that when the users logged into Lotus Notes again their id files were updated.
So I think we still have to recertify the server ids in a similar way I assume (using the original certifier id)?
How can we examine the current server id’s certificates to check if this is indeed neccessary or if they were automatically updated? is there a server command for this?
We’ve also started a project to upgrade the servers or replace Lotus Notes .. .this is in review.