My request is not for information on ‘How do you do it ?’ but rather 'How are you doing it ? ’
Managed PKI from verisign ? Or Thawte ? Most cost efficient ?
Do you use your own CA that Domino provides? If so, how do external contacts react ?
Any real life stories of the pros and cons and how you would do it differently if you had to start over ?
Thank you in advance for any input provided !
With warm regards,
Michael
Subject: Issuing Digital IDs for S/MIME
I have done this at a few clients, and I have spoken on the topic at conferences. The overwhelming majority of rollouts are using individual certificates from VeriSign. Yes, I hate dealing with them. Yes, it is a pain if someone moves/changes names/etc. But, it is is only $15/year/person. You can make backups of their certificates and IDs with certificates installed, so recovery isn’t a problem. After that, it is simply swapping public keys with your partners.
Let me know if you need more information.
Mike
Subject: RE: Issuing Digital IDs for S/MIME
I agree with you that there is a benefit by using this versign certs, but if you are thinking of a rollout of 1000 certs i do have a problem with managng this through verisign.lets say the whole things is not really a win-win situation 
regards
tw
Subject: Issuing Personal Digital IDs for S/MIME - Verisign, GlobalSign and R6
Hi
I had set up several of my customers to use Verisign Digital Ids for S/MIME. At the time of the set up we were on R5. These Certificates are now expired and we have purchased new Certificates.
In the meanwhile we have moved to Notes 6 and the set of instructions used in the past do not work. This is the response received from Verisign Technical Support. They provide email support only, no telephone support.
"Sorry for the inconvenience.
Unfortunately, we have not tested our Class 1 Digital ID’s
sending encypted messages using Lotus Notes 6. The only
information that Lotus has provided is for Lotus Notes R5
I would like to do some testing with you to see if the
configurations are compatible. "
We encounter the error when trying to Import the Internet Certificate [pcert.p7c] into the Notes id. The error message is “Cannot add certificate from the import file”.
Because of the problems with VeriSign and the response from their Tech Support I tried using GlobalSign digital certificates. Unfortunately run into a similar issue.
Their Tech Support have also advised us :
"Hello,
Thanks for your interest in our products & services…
To answer your question… Unfortunatly the requested certificate does not work with Notes Version 6.
Information on these certificates is to be found on our website or the repository.
For any further technical question, feel free to contact our support team to
support@globalsign.net or 0903/99 159 (only for Belgium)"
Back to square one.
RM
Update:
Finally figured how to get around all the issues with setting up the same.
Subject: RE: Issuing Personal Digital IDs for S/MIME - Verisign, GlobalSign and R6
I’ve just been looking at what’s involved if we want to switch to https. Here’s a quote from the R6 admin help
“Domino includes several trusted root certificates by default when you create a server key ring file. You do not need to merge a third-party CA’s certificate as a trusted root if it exists in the key ring file by default.”
The external authority we would want to use (because its available to us through agreement with a UK national academic organisation) is Globalsign, not one of the CA’s in domino by default. Defaults are mostly Verisign which seems to cater for all the browsers on my machine at least.
When I looked into this some time ago when we ran R5, Globalsign told me that their certificates couldn’t be used with domino.
Anyone got a success story with a third-party CA? When is it worth using one?
Subject: RE: Issuing Personal Digital IDs for S/MIME - Verisign, GlobalSign and R6
Hi Mark
If you are still interested in using GlobalSign Certificates I can send you details on how to set it up to work with Notes 6[inspite of their Sales folks claims that it does not work]. Let me know your email address and I will send you the details.
Thanks.
Robert Mendonca
Subject: Issuing Digital IDs for S/MIME
We are using the Notes CA, but just playing a bit before we go life.The problem with verisign is from my point of view the ca handling if people move, leave, needs to be renamend and so on.
In addition to that the verisign ca wouldn’t provide you with your common notes ou structure and if you buy a ca from verisign you end up in the same trustment process like you are facing with the notes ca.
I’m just not sure yet how to handle the verification, on one hand ldap for external requests seams to be nice, but in a world of spammers who like to publish his directory
( btw. any ideas are welcome on this point )
Customres react differently so far, for some trustment is not an issue, some do not have rights to modify the trustment settings and is is an Issue.
just my 2 cents
TW
Subject: Issuing Digital IDs for S/MIME and the FDA
We are attempting to establish a secure email connection to the US FDA - specifically CDER. The information provided by the FDA so far suggests using Verisign Class 1 Digital IDs - however, I am wondering if it would be easier to create a Notes CA and send the FDA a certificate at that level to cross-certify as opposed to a fist-full of Class 1 certificates. Am I on the right track here, or have I grabbed the wrong end of the stick? If anyone has gone through done this with the agency before, I’m all ears.
Thanks.
Subject: RE: Issuing Digital IDs for S/MIME and the FDA
Hi Michael,
Thanks for getting back to me.
The return certificate is for a server not an individual. I have figured out how to import it into my Domino Directory.
I’m trying to figure out if this is what’s happening, or is something else going on?
We get Personal Class 1 Digital IDs from Verisign
We attach these Personal IDs into our UserID file, by getting them from the User Security Window.
Someone from our organization (me) sends the FDA a test message to their cert-query@cder.fda.gov address.
leew@cder.fda.gov returns the following message:
The user certificate for leew@cder.fda.gov is attached. The certificate provided is a server S/MIME certificate and therefore does not have any direct relationship with the user’s email address. The certificate provided is a server S/MIME “Proxy” certificate.
Certificate details:
Display Name:
FDA/CDER Secure Server (proxy) LEEW@CDER.FDA.GOV
Certificate Fingerprint:
Blah blah blah
Certificate Fingerprint:
Blah blah blah
Certificate Issuer:
This certificate represents a secure server, not an individual.
FDA/CDER
FDA/CDER Secure Server
Certificate Serial Number:
Blah blah blah
Attached file: smime.p7s.
I detach the smime.p7s file, and import into the Domino Directory as an Internet Certificate.
So when we send a signed and encrypted Internet email, the Verisign ID in our Used ID is used to encode the message. When this messages reaches the FDA, they use a Verisign CA certificate to decode the message.
When the FDA sends our company a message, it is encoded with the FDA/CDER Secure Server (proxy) LEEW@CDER.FDA.GOV proxy certificate - which we now have in our Domino Directory to decode the message.
Is this correct? Is this is what is supposed to be going on? In my limited correspondance from the FDA they have indicated the follwiong once I had tried to send them a signed email:
" I will set your profile up on the secure server at CDER and attac your certificate. I will then ask for a signed and encrypted message."
If they are going to setup a profile on their secure server, should I not just create a certificate from a Notes CA, and they can import that? Then I don’t need to go to Verisign for the Class 1 IDs?
Am I thinking clearly here, or am I misunderstanding something?
Thanks again for your time. Look forward to hearing your response,
Jason
“Michael Lazar”
05/07/2004 12:14 PM
To Jason Rickerby
cc
Subject Re: Secure Email to cder.fda.gov
Jason,
I haven’t had to bounce anything off of CDER is a few years, but if memory serves me correctly, you send a message to their server, and it returns the certificate you requested in an email. You would then take that certificate and add it to the personal address book entry for that person, or put it in the Domino Directory entry for that CDER person. It should be the same as if I sent you a signed email, where you simply “Add me to your personal address book” and make sure the X.509 certificates are also included. If you are coming to Admin 2004, look me up. I might be able to help more in person.
Mike Lazar
-----jrickerby@inexpharm.com wrote: -----
To: Mike Lazar
From: Jason Rickerby
Date: 05/07/2004 12:24PM
Subject: Secure Email to cder.fda.gov
Hi there,
I noticed you posting on Lotus DeveloperDomain (notes.net) about using Notes to communicate securely with the FDA.We are now in the process of setting this up, but I have a question thatI having a difficult time getting answered. The FDA has provided a certificatefor their proxy server - but I’m not sure what I’m supposed to do withit in Notes. I assume I should add it to Internet Certificates in my DominoDirectory, but I can’t figure out how to import the X.509 certificate.
Would you have any idea what’s goingon here, or know someone who could point me in the right direction?
Thanks,
Jason
PS. We’re are currently using Notes/Domino6.5.1