Expired certificate error keeps popping up

Hello everyone,

Since yesterday we're having an issue with one of our user's client. The error is the following "error server: the user's certification has expired".

The error keeps popping up even if the certificate of that user wasn't expired (we did recertified it anyway). We followed this guide https://help.hcl-software.com/notes/9.0.1/sec_cert_renew_t.html with no success and we even tried to configure again the client but the issue remains.

We even tried to install the client on another host with no success.

Any clues of what the issue could be?

Hi @Francesco If you already recertify the user ID then try to copy the certified public key from a Notes ID file.

How to copy the certified public key from a Notes ID file:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0037100

Also, see this article:

How to manually recertify an expired ID-

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0037128

If you have ID vault configured then the Public Key of the user's id in the Id Vault may be different from the Public key available in the user's Person Document there in the Domino directory. For this reason even user's person document was recertified and had valid Notes certificates the Public key in the Id file due to this key mismatch had not inherited the renewed certificates.

You then take below actions to resolve this issue:
1) Extract users id file from the vault.
2) Go to Domino Directory from the Admin client=>Configuration Tab
3)Then go to certification->Id Properties->Switch the extracted user's id file
4) Verify that the id is expired.
5) You do manual recertify the id using ->Certify->Choosing the Cert id and then this extracted Id to have the public key certificate renewed.
6) Now to update this new public key to the person document to eradicate the mismatch did the below steps again.
7)Go to certification->Id Properties->Switch to this extracted users id file->Your identify->More actions->Copy the certificates.
8) Then just paste the public key to a notepad. Open the person document and go to Certificates tab and remove the older public key and paste the new one obtained from the extracted user's id file and recertify it.
9) The person document is updated now automatically this will update the id in the vault and also the expired id on user's system automatically.

Hey I do have some upgrades about the issue.

We did sme troubleshooting with the support and we find out that the user.id is expired:

Inked33_LI.jpg1148×748 107 KB

While from the notes certificates it says that it is not expired:

InkedCattura_LI.jpg1625×740 180 KB

What is the difference or why does the user.id has another expiration date? When I certified the user why does the user.id didn't get the upgrade automatically too?

Thanks for your help

Hi @Francesco

When you renew a user's certificate and the PersonDoc already has a renewed expiration date, the moment the user connects to the server the user.ID file on the machine is updated with this information.

If this is not happening, there is a problem with the configuration with the notes client that needs to be investigated and fixed. There might be some corruption with the local names.nsf which is causing this behavior and by reconfiguring/reinstalling the program, the issue can be resolved.

Have you already tried to reconfigure or reinstalling that user's Notes Client?

Best Regards
Wiliam Dias

@Francesco How odd that the person record says that the original key was created 26/06/2020, and the user.id say it was activated 09/03/2020.

That suggests to me there has been an administrative mishap, like the same person certified twice because an administrator did not notice the ID was already present, and recreated the person record. Thereby overwriting the public key in the person record with a new one. The user does not notice this because he already has a signed and valid certificate. You would notice it immedeately if public key checking is turned on for the Domino server, which is recommended for better security.

You want to avoid this because the public key is used for encryption, so overwriting a public key instead of recertifying can cause a user to lose data.

I think (it was quite a while ago so backup the ID and person record before trying!) that I solved this by copying the public key out of the old ID file:

Open the ID file with Domino Adminstrator, by going to the Configuration tab, expand the Tools section, use "ID Properties...". Then go to "Your Identity", "Your Certificates". Click "Other Actions..." and choose "Mail, Copy Certificate (Public Key)...", and click "Copy Certificate" in the dialogbox and close it. Close the dialog, not saving any changes.

Edit the person document, (you have made a backup copy, right?), go to the Certificates tab, and paste the Public key in you just copied from the ID file.

Now recertify the Person again, this time from the original public key from 09/03/2020. If that has succeeded, the user should be able to get the new key automatically.

Note that you may need to do some fudging to get the new ID correctly into the ID Vault. having the user restart the Notes client and use a db on the server should do the trick, but schedule a check in a week or so that the ID in the vault actually has updated, you may need to remove the faulty ID and let the vault pick up the new one.