Lotus Domino 7 cross-certificate problems

Lotus Domino 7 has an unfortunate bug which means that you can’t cross-certify with another organization via phone or e-mail, by using the Domino Administrator, choosing Cross Certify Key… and entering their key ID. The bug is documented in the readme.pdf, and is still unfixed as of 7.0.2. It results in server errors saying “The subject’s public key found in the cross certificate does not match the one found in the certificate table.”

[Update 2006-05-17: I’m pleased to say that I heard today they’ve managed to squeeze a fix for the problem into 7.0.2. This is not an official statement of support from IBM, etc etc.]

This is a problem in situations where you want to cross-certify your server with someone else’s, but for whatever reasons they can’t or won’t give you access to CERT.ID, and can’t engage the cooperation of the owners of their CERT.ID.

For example, you might be doing some Domino development work as a contractor for someone at a huge corporation. It would be nice if you could provide your contact at the corporation with access to your development server, and rely on Notes public key cryptography and his regular Notes ID to keep everything secure.

The certify-by-key ID option was designed for that kind of scenario. He could call you up, read out his key ID to you, and you could enter it and cross-certify his organization with your server. Then you could add him and any other people at his company to your database ACLs by name, and everything would be secure, assuming his company practiced adequate ID security.

Except, as I say, the feature doesn’t currently work in Domino 7. So…

There are two ways around the problem. The first is to downgrade to 6.5, cross certify, then upgrade to 7.0. However, this may still give you problems. So, after considerable experimentation I’ve worked out a rather laborious workaround.

Suppose your organization is /OurOrg and theirs is /TheirOrg.

  1. Open the public names.nsf for a server in /TheirOrg (or get a friend at /TheirOrg to do it). Under Configuration → Certificates, open Notes certifiers, then TheirOrg, and find the entry for /TheirOrg. If you open the document it should say:
> Certifier type: Notes Certifier  
> Certifier name: /TheirOrg  
> Issued by: /TheirOrg

Go back to the view, put the view cursor on that document, choose Edit → Copy, and then paste the copy into some other database—such as a blank one. We’ll call it Database X.

  * Get a copy of Database X to YourOrg somehow. Zip it and e-mail it, replicate it, doesn’t matter how. Make sure the recipient has appropriate rights to open it.

  * Using the same copy/paste method, copy and paste the document from Database X into the main names.nsf for YourOrg.

  * In the Domino 7 Administrator, choose Configuration → Certificates → Certificates. Open up Notes Certifiers then TheirOrg. Open the document. It should say the same stuff quoted above.

  * Choose Actions → Create Cross Certificate. Choose <kbd>O=TheirOrg</kbd> as the certifier to cross-certify, click OK.

  * In the next dialog box, select the /YourOrg CERT.ID and an appropriate /YourOrg server to send the cross-certificate to. Enter any necessary passwords, and click OK.</ol> 

You should now find that YourOrg can verify certificates created by TheirOrg.