Understanding Certificate Expiration Management in HCL Notes

An Insight for Admins :
In HCL Notes environments, certificate-based authentication is essential for verifying user identities and securing communications with Domino servers.
However, there are instances where users see an error message claiming their Notes ID certificate has expired—even when the certificate has already been renewed on Domino.
This blog post breaks down how the Notes client verifies certificate validity, explores common reasons why expiration warnings might appear, and provides actionable solutions for administrators.

:magnifying_glass_tilted_left: How Certificate Validation Works in the Notes Client
When a user logs in to the HCL Notes client, two main checks occur:

  1. :white_check_mark: Verifying the ID File Certificate
    The Notes client checks the expiration date of certificates in the user’s ID file during startup. This verification happens only once a day when the user login to Notes client.
    The result of this check is stored in the “CertificateExpChecked” parameter on notes.ini as below:
    CertificateExpChecked=ids\people\test_user1 05/14/2025

    • This entry logs the ID file path and the expiration check date of ID file.
    • This check happens only once per day by Notes client.
    • If any certificate in the ID file is expired, the user sees a daily warning:
      “One or more certificates on your Notes ID file have expired. Contact your Domino administrator.”
  2. :inbox_tray: Updating the Certificate Table
    After the user logs in to the Notes client and connects to the Domino server, the client initiates the Certificate table sync with the Domino Directory for that user and updates the user’s ID file (If any changes in certificate table) and the Notes client’s local certificate table cache.

    • A successful Notes certificate table cache sync date is logged in “RequestCertTableUpdate” parameter as below:
      RequestCertTableUpdate=ids\people\test_user1 05/14/2025
    • This reflects the date of the last successful Certificate table sync with the server.

:warning: What Happens When a user Certificate Expires?

Scenario 1: Expired Certificate, user ID Not Recertified

  • User sees warning message about certificates expiration and Server connection fails with:
    “Server error: Your certificate has expired.”
  • CertificateExpChecked updates, but RequestCertTableUpdate does not—because the client can’t connect using expired certificates to sync the certificate table with the Domino directory.

Scenario 2: ID File Recertified (Manually or via AdminP)

  • When the user’s ID is recertified using AdminP, the Notes client checks for expired certificates the first time the user logs in each day. If the certificate is expired, the user will see a warning message.
    If the user already logged in earlier that day (before the recertification) and the Notes client has already recorded the daily check (CertificateExpChecked in notes.ini), then the warning won’t appear again until the next day—even if the ID certificates were renewed later that day.
    The renewed certificate will still be applied the next time the user logs in and connects to the server that day.

  • If the ID file is recertified manually, At this time the user documents on server also updated with the renewed certificates expiration dates.

  • When the user login to Notes client using the manually recertified ID file, the warning message does not display as the ID file has valid certificates expiration.
    In this case, both CertificateExpChecked and RequestCertTableUpdate are updated with the current date.

:red_exclamation_mark:Problem: Certificate Expiry Message Appears Despite ID File is recertified after expiry
Some users may encounter the expiration warning even after recertifying their ID file either manually or via adminP.
The following steps help diagnose and resolve the issue by accounting for how the Notes client updates the certificate table and manages certificate data within the ID file.

:white_check_mark: Troubleshooting Steps

  1. Verify the ID File in Use
    Go to File → Security → User Security → Basics tab in the Notes client and verify the full path and name of the ID file currently in use.
    In some environments, you may find two ID files in the Notes data directory (e.g., user.id and another named after the user), depending on how the Notes client was initially configured. Ensure that the ID file currently in use is the one that has been recertified.
    If you log in to the Notes client using a different copy of the ID file than the one that was recertified, it is expected that you will see a certificate expiration warning once. This occurs because the ID file in use does not yet contain the updated certificate table at the time of login.

  2. Check Certificate Validity
    In the User Security window, navigate to Your Identity → Your Certificates and review all certificates in the ID file. Ensure that none of the certificates in ID are expired.

  3. Verify File Permissions
    Ensure the Windows user account running the Notes client has write access to both the notes.ini file and the user ID file. Insufficient permissions can prevent certificate table updates to the user ID file.

  4. Inspect Relevant notes.ini Parameters
    Check CertificateExpChecked and RequestCertTableUpdate in the notes.ini file to confirm the last certificate check and Certificate table update dates.
    These values indicate the last time the Notes client performed the certificates expiration check and the local certificate table cache updated date for the respective user ID file.
    If the “RequestCertTableUpdate” date is outdated, It may suggest that the client hasn’t connected to the Domino server recently or the Notes client’s Certificate table cache is not updated.
    In this case, manually force Notes client to initiate certificate expiration check and certificate table sync with the Domino directory, This is especially useful after recertification of cert ID or mass recertification of user IDs:

  • Outdated dates suggest the client hasn’t recently connected to the Domino server or the certificate table cache is stale.
  • To force a certificate table update and expiration check:
    1. Delete CertificateExpChecked and RequestCertTableUpdate from notes.ini and save.
    2. Restart the Notes client and connect to the Domino server to trigger a certificate check and table sync.
    3. Verify both parameters are restored in notes.ini with the current date, confirming a successful sync.

:light_bulb: Final Thoughts
Understanding certificate validation and cache management in HCL Notes is critical for resolving expiry warnings. Updating notes.ini and forcing certificate table refreshes when needed can streamline authentication and reduce support issues.
Have you faced this issue in your HCL Notes environment? Share your insights or tips in the comments!
If this guide was helpful, save it or share it with other Domino administrators.

6 Likes