[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 231
  • Last Modified:

Notes 4.6 Certification Error

I inherited the administration of a Notes 4.6 (no manuals!) - small amount of users, one server, few databases, not used for mail, just accessing the databases.  I have supported end-users in Notes in the past but not at this level.  

Users began to experience an expired certificate this Monday, thus denying access them to the server (they ignored the warning messages).

To correct this (following online help examples), I made a safe copy of the user id, brought it up on the server admin, recertified the ID (setting the expiration for 10 yrs), merged it back into the user ID.  Still having the problem.  In looking at the ID, there are around 11 certificates listed, many expiring next month, one expired this past weekend, still listed and the user is still locked out - the recent recert is recognized, but the 'old' certificates are listed there as well.  

When looking at the other ID's (cert and server), there are many certificates, one expiring this past weekend.  I was able to locate another cert file, dated much older, but do not have the password for this one.  When starting up the server, I am getting a message that the server needs to recertifiy in one month, etc.  

I need help... !  
1 Solution
They may be old "flat" certificates.  Notes currently uses a "hierarchical" naming system, e.g., RFlorschuetz/EExchange, Qwaletee/EExchange, where /EExchnage is the certifier, and RFlorschuetz and Qwaletee are user names.  It is called hierarchical because RFlorschuetz and Qwalatee belong to EExchange, and there could be further levels, e.g., RFlorschuetz/Quesions/EExchange and Qwaletee/Answers/EExchange.

Originally, Notes used a "flat" system, wheret he certifier name was not part of the user name, it was only hidden in the ID file and used during connections to servers, encrypting, decrypting, and and digital signatures.  The reason a user (or server) might have many flat certificates is that the user may interact with servers that had been created by other organizations, and therefore have different certificates -- or any other reason why someone decided to create a server using a different certificate.  The same goes for servers -- maybe a server is used by two organizations, so it has two flat certificates.

Hierarchical certificates begin with a /, as in /EExchange.  Flat certificates do not.

In addition, you might have several hierarchical certificates.  This comes into play because:
1) The main certifier has to certify itself plus any subordinates and any users, so there are usualy at least two
2) In addition, if there are multiple levels of certifier, each one will be present, e.g., /Questions/EExchange and /EExchange
3) Finally, due to different encryption levels if different versions of the product, there are sometimes "international" and "North Amercian" versions of teh same certificate, and a user may have both.

You probably don't need all these certfiicates.  In a simple environment with:
    *   one server
    *   all users and servers use the same hierarchical certificate
    *   users don't access any other server
    *   server does not communicate with any other server
... then al you need are the hierarchical certificates, which all get renewed together in any given ID file, and you can delete any flat certificates.
RFlorschuetzAuthor Commented:
Thanks!  This actually led me to look around a bit more - I ended up using the instructions on how to handle a lost, stolen, compromised certified (from IBM Support website) - that seemed to work (luckily we have a small number of users).  

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now