Certificate authority key rollover - users can't access ID-vault

yesbor · May 13, 2025, 2:39pm

Domino/Notes Version: 12.0.2
Add-on Product (if appropriate, e.g. Verse / Traveler / Nomad / Domino REST API):
Its Version:
Operating System: Windows Server 2019
Client (Notes, Nomad Web, Nomad Mobile, Android/iOS, browser version): 12.0.2

Problem/Query: I’ve completed the Certificate Authority key rollover as explained here: (Certificate authority key rollover)
Unfortunately I completed the process by rolling over all cross-certificates (Rolling over cross-certificates) including trust for ID-Vault.
The result is that my user (which I haven’t completede rollingover) now can’t access the ID-Vault. In log I see this:
13.05.2025 13:55:06 Could not locate certificate for ‘/######’: The signature on the certificate was found to be invalid. Check the log file for details.
13.05.2025 13:55:06 ID ‘C:\Program Files (x86)\HCL\Notes\Data\user.id’ failed to synchronize with vault ‘O=KP_Boks’ on server ‘CN=#####/O=##########’. ‘Jesper Pedersen/##########’ made request. Error: Invalid Vault Trust certificate chain. Check the log file for details.
How do I solve this ?
Can I somehow roll-back the “rollover” over of cross-certificates ?
Regards
Jesper Pedersen

ChaitanyaY · May 13, 2025, 3:23pm

Hello,

After completing key rollover, it is not possible to roll-back unless you restore from backups.
Also, restoring from backups would result to issues for other users.

As you have initiated key-rollover in IDvault enabled environment, Please examin the certificates on the person document to confirm if the rollover for the user is executed on the server and IDvault.

If the key-rollover is completed for the problematic user, then please check if you are able to extract the problematic user from the IDvault or not.
If you are able to extract the user ID, pelase configure the extracted user ID in user’s Notes client.

Regards,
Chaitanya Y

yesbor · May 13, 2025, 6:31pm

Hi Chaitanya,
Thank you for your reply. I know that I’ve messed up

The problem is that the issue is regarding all my users - none of them has been rolled over !!

So which files / documents need to be restored from backup ?

/Jesper

yesbor · May 14, 2025, 11:02am

Hi again,
The issue is solved by restoring the cross-certificate document from a backup of Names.nsf.
Users are now able to synchronize ID-files with our ID-vault.
/Jesper

chaitanya · May 14, 2025, 6:27pm

Hello,
Sorry for the late reply.
I am happy to hear that the issue resolved by restoring the cross-certificates from backup.

please note the Key roll-over is very critical activity and need to perform at most care after taking backup of all the server data such as names.nsf, admin4.nsf, IDvault, certlog.nsf, etc…

Incase if any issue occurs and you want to role-back, you may need any of the above mentioned DBs or all DBs mentioned above.

Thank you!!
Best Regards,
Chaitanya

system · May 15, 2025, 2:27am

This topic was automatically closed 8 hours after the last reply. New replies are no longer allowed.