Lotus Domino 7 has an unfortunate bug which means that you can’t cross-certify with another organization via phone or e-mail, by using the Domino Administrator, choosing Cross Certify Key… and entering their key ID. The bug is documented in the readme.pdf,
and is still unfixed as of 7.0.2. It results in server errors saying “The subject’s public key found in the cross certificate does not match the one found in the certificate table.”
[Update 2006-05-17: I'm pleased to say that I heard today they've managed to squeeze a fix for the problem into 7.0.2. This is not an official statement of support from IBM, etc etc.]
This is a problem in situations where you want to cross-certify your server with someone else’s, but for whatever reasons they can’t or won’t give you access to CERT.ID, and can’t engage the cooperation of the owners of their CERT.ID.