Notes 4.6 Certification Error

Posted on 2005-04-12
Last Modified: 2013-12-18
I inherited the administration of a Notes 4.6 (no manuals!) - small amount of users, one server, few databases, not used for mail, just accessing the databases.  I have supported end-users in Notes in the past but not at this level.  

Users began to experience an expired certificate this Monday, thus denying access them to the server (they ignored the warning messages).

To correct this (following online help examples), I made a safe copy of the user id, brought it up on the server admin, recertified the ID (setting the expiration for 10 yrs), merged it back into the user ID.  Still having the problem.  In looking at the ID, there are around 11 certificates listed, many expiring next month, one expired this past weekend, still listed and the user is still locked out - the recent recert is recognized, but the 'old' certificates are listed there as well.  

When looking at the other ID's (cert and server), there are many certificates, one expiring this past weekend.  I was able to locate another cert file, dated much older, but do not have the password for this one.  When starting up the server, I am getting a message that the server needs to recertifiy in one month, etc.  

I need help... !  
Question by:RFlorschuetz
    LVL 31

    Accepted Solution

    They may be old "flat" certificates.  Notes currently uses a "hierarchical" naming system, e.g., RFlorschuetz/EExchange, Qwaletee/EExchange, where /EExchnage is the certifier, and RFlorschuetz and Qwaletee are user names.  It is called hierarchical because RFlorschuetz and Qwalatee belong to EExchange, and there could be further levels, e.g., RFlorschuetz/Quesions/EExchange and Qwaletee/Answers/EExchange.

    Originally, Notes used a "flat" system, wheret he certifier name was not part of the user name, it was only hidden in the ID file and used during connections to servers, encrypting, decrypting, and and digital signatures.  The reason a user (or server) might have many flat certificates is that the user may interact with servers that had been created by other organizations, and therefore have different certificates -- or any other reason why someone decided to create a server using a different certificate.  The same goes for servers -- maybe a server is used by two organizations, so it has two flat certificates.

    Hierarchical certificates begin with a /, as in /EExchange.  Flat certificates do not.

    In addition, you might have several hierarchical certificates.  This comes into play because:
    1) The main certifier has to certify itself plus any subordinates and any users, so there are usualy at least two
    2) In addition, if there are multiple levels of certifier, each one will be present, e.g., /Questions/EExchange and /EExchange
    3) Finally, due to different encryption levels if different versions of the product, there are sometimes "international" and "North Amercian" versions of teh same certificate, and a user may have both.

    You probably don't need all these certfiicates.  In a simple environment with:
        *   one server
        *   all users and servers use the same hierarchical certificate
        *   users don't access any other server
        *   server does not communicate with any other server
    ... then al you need are the hierarchical certificates, which all get renewed together in any given ID file, and you can delete any flat certificates.

    Author Comment

    Thanks!  This actually led me to look around a bit more - I ended up using the instructions on how to handle a lost, stolen, compromised certified (from IBM Support website) - that seemed to work (luckily we have a small number of users).  

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    Title # Comments Views Activity
    Lotus Notes 41 143
    names.nsf ODS upgrade 4 385
    Using @Prompt in a Queryclose Event 14 74
    IBM Lotus Notes Rules not working 5 39
    For beginners of Lotus Notes user this is important to know about the types of files and their location supported by IBM Notes. Mostly users are unaware about how many file types are created and what their usages are. This Article is fully dedicated…
    This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now