Set up some other email address on your Domino server for testing.
Send an email from your regular Notes client to this address in step 2.
Install DAMO AND install the certificate in Outlook on some test client.
Use DAMO to access the account in step 2, so you can retrieve the signed message in Outlook.
If you’re using DAMO to access your OWN account, you’re going to be using Outlook’s “replication” to pull down the entirety of your email to the local PC. I really doubt you want to do that, and even if you did, it wouldn’t test anythings.
At the moment I’m not sure of the exact version. I downloaded the win2k compatible version, which I later found out required 136mb of ram, and I was using it on a machine with only 128.
I’m in the process of building a more hardware friendly (640mb ram, 733mhz p3) pc for testing damo, and hope to have that finished this weekend.
If you don’t like it, do something else. Let me guess, you come from a traditional, relational programming background .
I have to admit, if I was getting into it now, I would be frustrated as well. Having grown up with first Formula, then Script, then HTML and JavaScript, it was a lot easier than trying to do them all at the same time and trying to figure out where I needed what.
Notes/Domino does decently what no other product can do.
Have you set it up to use the CA process to create an internet certifier to distribute x.509 certificates so my email can use s/mime ?
I’ve been a domino admin for almost three years and a user for over 10. The help is way to fragmented and IBM web sites are just poorly managed. Try to get from point A to point B in one step. It’s impossible.
I have set up CA and Internet Certifiers. Both creating an Internet Certifier manually then adding it to CA, and using CA to create Internet Certifiers, have not had issues with either.
I had the R5 CA up and running. Problem was that Outlook users who received digitally signed certificates always got messages that the signature on the certificate couln’t be verified. Therefore the certifiates were of no use.
So we decided to drop the R5 CA and go to the R6 Server CA. Problem now is that during the setup for Creating an Internet Certifier, I get ‘Server Error - file not found’, and have no way of following up because the message doesn’t indicate which file isn’t found, and the only file I’m aware of is the icl nsf which is supposed to be created. And the help doesn’t help…
I have some vague recollection on a similar problem with the certificate authority. Opened from the Administrator Client, it will generate error messages like the one you describe. Open it from the normal client and it worked fine. Too bad I can’t find the technote!
" had the R5 CA up and running. Problem was that Outlook users who received digitally signed certificates always got messages that the signature on the certificate couln’t be verified. Therefore the certifiates were of no use."
This happenes even though I do accept the server certificate as a trusted root, and it appears as a trusted root cert in my browser.
I should also point out that what I’m trying to do is test exchanging digital certs between my notes client (work), and my outlook client at home. Problem is that outlook, when it receives the certificate says it can’t validate the digital signature. Thi is even though I’ve accepted the server certificate (in previous steps) into my web browser as a trusted root cert authority.
hi,i would like more info from your side if possible…what OS r u using now for the domino that u are having problems. About the “File not found” anymore details?
Of course these Outlook users cannot validate your signatures “out of the box” – your PKI doesn’t interconnect with theirs. You would have this same problem going Outlook to Outlook, if the Outlook users were using their own (more secure) CA, instead of using one of the (less secure) public CAs whose root certificates tend to ship by default.
In the Notes world, this can be trivially solved by adding an Internet cross-certificate. On the Outlook side, there should be an action in Outlook that is equivalent to “add sender to address book”.
If users A and B don’t share any common ancestors – or cross-certificates, but only Notes is that useful – then they can exchange signed S/MIME messages. These signatures contain the users’ X.509 certificates. By selecting that message and choosing to add the sender to their address book, they can establish a trusted relationship. And in newer versions of Notes, the user can use the advanced options button off that dialog to establish trust to one of the sender’s ancestor certificates, which would cut down on future warnings of that sort from other users in that domain.
Gerald, there’s no difference between the X.509 certificates issued by the ca.nsf db and the newfangled ca process. You are simply not going to be able to get away from the fact that web clients do not ship with your CA as a trusted root certificate, and your Outlook users are going to have to import your CA certificate as a trusted root. (This is why I asked you whether you were going to be your own CA or use Verisign/Thawte. At the time, maybe you didn’t see the value of popping out the $$ to obtain a “trustable” certificate, but now you are.)
Web browsers can import your certificate as a trusted root simply by visiting your CA.NSF over the web. I have no experience with importing X.509 root certs into Outlook – but I’m sure that it can be done.