Problem
You have a Lotus Notes® user ID that has expired and you would like to manually recertify it.
The ID can open Notes, because the password is valid, but the user cannot do anythyng else, as the end date has expired. If the user selects File -> Tools -> User ID -> Certificate -> Request Certificate, the following message displays:
Server Error: Your certificate has expired.
Administrator: Recertify users ID
A user has a Notes ID that has an expired certificate. These steps are performed by the server administrator to correct the users expired ID.
1. After obtaining the user ID, you (as the administrator) launch the Lotus® Domino® Administration client.
2. Open the Configuration tab, expand Certification (located on the right hand pane) and select Certify.
3. Select the Certifier ID file.
4. From the Choose Certifier ID dialog box, select the O or OU certifier that was originally used to certify the user ID.
5. Enter the password for the certifier ID.
6. From the Choose ID to Certify dialog box, select the user ID to be recertified.
7. Enter the password for user ID to be recertified.
8. [Optional] In the Certify ID dialog box, you may set or change the following:
Registration server, expiration date of the certifier and password length.
9. Click Certify.
The Status window displays:
Updating address book entry for username/org
Successfully updated address book entry for username/org
Username/org successfully certified
10. Choose «No» when you receive the following dialog box:
Would you like to certify another?
11. Provyde the newly-recertified ID file to the user.
Administrator: Recertify an expired Server ID
If an administrator needs to recertify an expired Server ID, the following steps should be followed:
1. Certify the server id file by following the «Administrator: Certifying an expired server ID file» steps included below.
2. Verify that the expiration date has been changed in the server.id file.
3. From the administration client select Configuration -> Tools -> ID Properties, then select the Server ID file.
4. Place the new server.id back on the server (c:lotusdominodata), and restart the server.
Administrator: Certifying an expired server ID file
How to certify an expired server id file.
1. After obtaining the server ID (c:lotusdominodata is the default location ), you (as the administrator) launch the Domino Administrator client.
2. Open the Configuration tab, expand Certification (located on the right hand pane) and select Certify.
3. Select the Certifier ID file.
4. From the Choose Certifier ID dialog box, select the O or OU certifier that was originally used to certify the user ID.
5. Enter the password for the certifier ID.
6. From the Choose ID to Certify dialog box, select the server ID to be recertified.
7. Enter the password for server ID to be recertified, if necessary (not all server ID files require a password).
8. [Optional] In the Certify ID dialog box, you may set or change the following:
Registration server, expiration date of the certifier and password length.
The server.id file should have an expiration date 99 years in the future (default ).
9. Click Certify.
The Status window displays:
Updating address book entry for username/org
Successfully updated address book entry for username/org
Username/org successfully certified
10. Choose «No» when you receive the following dialog box:
Would you like to certify another?
11. Copy the newly-recertified ID file to the server (c:lotusdominodata, by default).
Тема: Истек срок действия сертификата сервера (Прочитано 7143 раз)
Добрый день!
Помогите в решении проблемы, связанные со сроком действия сертификата СЕРВЕРА !!!!!!!!
16.01.2013 вышел срок действия сертификата Admin.ID Его продлили 17.01.2013г. Но теперь выдает сообщение, что не возможно проверить атрибуты сервера ХХХХ/ХХХ/ХХ, т.к. истек срок действия сертификата сервера. Продолжить работу с сервером?
Что делать? Срок сертификата сервера стоит 22.01.2113г. !!! Помогите!
« Последнее редактирование: 23 Январь 2013, 13:10:54 от eva »
Записан
Истек срок сертификата сервера или администратора этого сервера?
Сертификат для сервера обычно на 100 лет выдается.
Пробовать…
1. Для начала попробовать сделать ресертификацию данного id.
2. Я бы остановил сервер, сделал холодную копию транзлогов, каталога приложений и данных домино.
Далее откатил бы системное время на серваке, запустил домино и попробовал ресертификацию.
« Последнее редактирование: 23 Январь 2013, 15:48:15 от Sergey Latyshev »
Записан
Сергей, здравствуйте!
Попытались с вышестоящей организацией откатить на серверах системную дату, вновь создать учетку Админа, с продленным сроком сертификации, которую я выбрала в откатанном времени, и снова восстановили текущую дату. Но проблема осталась. Сообщение, что срок сертификации СЕРВЕРА не выходит, но и документы не отправляются(и не получаю). А внутри своей фирмы почту друг от друга получаем. В консоле Lotus Domino выводит следующее сообщение :
Router: No messages traemote servernsferred to ХХХХХ/ХХХ/ХХ via Notes: Your certificate has expired on remote server
Router: Unable to open mailbox file ХХХХХ/ХХХ/ХХ mail.box : Your certificate has expired on remote server
Записан
Записан
Еще раз здравствуйте !
Никак не получается решить нашу проблему ! Наше головное предприятие почему-то решает этот вопрос с помощью Адресной книги (обновляет или восстанавливает?). В папке Серверы указаны все филиалы предприятия, с которыми она работает. Я их вижу. И у всех срок сертификатов стоит до 2113г. Но только мы не можем почему-то пройти сертификацию!!! Я отправляла все статьи, которые я находила в Инете, но … У себя на сервере нашла только один id, не пользовательский и его отправляла на «исследование», но применение ему не нашли ! Что делать?
У нас установлен Лотус версия 5,0
Записан
Lotus Notes Certifier ID and Certificates
What is Lotus Notes Certificate?
A certificate in Lotus Notes is a digital signature which identifies user or server. Any User Ids can have more than one Internet certificates which identify users while using SSL to connect to an Internet server.
What is Certifier ID in Lotus Notes?
Certifier ID is created to place servers and users in a right manner within the hierarchy scheme of an organization, it is stored as a cert.id in a domino directory.
Certifier ID and Certificates are important for IBM Lotus Domino security.
Location of Lotus Notes Certifier ID file
Default Location of Lotus Notes cert.id file: C:Program FilesIBMDominoDatacert.id
What does Lotus Notes Certificate contain?
- Certifier name that issued the certificate.
- The name of the user or server to whom the certificate was issued.
- The Public key which is stored in both IBM Domino directory and ID file.
- A digital certificate.
- The expiry date of the certificates
What are the types of Certifier ID?
1. Organization Certifier ID
While setting up the server for the first time, the setup server program will create the organization certifier ID file in the directory of Domino server and the created file will be named as Cert.id. While setting up, that organization certifier ID automatically certifies the first server ID of Domino server and the administrator’s user ID.
2. Organizational unit Certifier ID
During this server setup, you can also create a first level organizational unit certifiers id resulting that server id and admin user id are approved with the organizational unit certifier. Using this you can decentralize certification by giving certifier ID to Administrators who manages users and servers.
How to Secure Certificates in Lotus Notes?
By default, the server stores the certifier id file at the Domino data directory. During the setup of Domino Administrator for choosing either organization certifier ID or organization unit certifier ID, so there you can specify where you want to store ID file. For more security, you can store the certifiers at some safe place.
How to delete certificates from user.id File?
Both flat certificates or Internet certificates can be deleted from Lotus Notes user ID. While deleting certificates, Lotus Notes keeps all the keys used to decrypt data which was encrypted by those certificates.
Procedure to delete certificates from Lotus Notes:
- Go to File > Security > User Security
- Click Your Identity > Your Certificates
- Chose All certificates in drop-down list
- Select the certificate you want to delete, Click Other Actions > Delete from ID File
How to Renew Lotus Notes Certificates before Expiration?
Notes Certificates are only valid for some period of time and you need to renew it before its expiry period. If a certificate not gets renewed before the expiration date then that certificates become invalid which means you will not be able to login to Lotus Notes server. At that time, the user will need to be contacted to Administrator.
Renewing of the certificate means to change its expiration date, the public and private keys remain same after renewal. As the private keys will remain same and not changing so admin will renew the certificates without user’s interference. If it doesn′t happen you will receive a prompt showing certificates are about to expire.
To know the expiration date of notes Certificate, follow the below steps:
- Select File > Security > User Security
- Click on Security Basics.
- Click Who you are and refer to ID File Expiration date.
To know expiry date of Lotus Notes flat certificates and Internet certificates.
From User Security click in, click Your Identity and go to Your certificates and choose the certificates you want to view and refer to Expires given the certificate.
How to Requests for a Certificate?
Server Admin can keep the track of the certificate requests which the sent to CA. This request document keeps the method used to submit the certificates, date and time of the request, the key ring file used for the certificate, all info about the certificate and even the email addresses to which admin sent the requests.
- On Lotus Notes Client, open server certificate admin application.
- Hit “view certificate request log”
- Open the request document.
How to change the password of certifier id?
Only the Administrator of Lotus Domino can change the ID password be it User ID, Certifier ID or Server ID. These ID can be examined under Administrator panel window.
- Click on certification under Tools from Configuration tab.
- Click on ID properties.
- Select the ID file you want to examine and you will be prompted for the existing password.
- All information of that certifier will be shown in a dialog box. Go to Basics tab and click for “Set Password” option.
- After all, changes made, Click on select done.
Errors occur in Lotus Notes Certificate
Error 1: ‘Cannot accept internet certificate because the Certificate Authority certificate is unavailable’
When does it occur?
If you have users certificate which you wish your users should install to their user ID file so that they can use S/MIME for email. We export this certificate from web browsers but when the users import this certificate, the following error occurs:
“Cannot accept internet certificate because the Certificate Authority certificate is unavailable”
This error occurs if you do not select option to “include all certificates” while exporting the certificate from the browser.
Follow the below given steps to avoid this error:
- In windows, click on start > Settings > Control Panel,
click to open internet options and go to the content tab and click Certificates button. - From personal tab, click the certificate need to be export.
- Click on Export button.
- Hit Next to continue and enter in Certificate Export Wizard.
- Click Yes, export the private key
- Select Personal Information Exchange
- Choose >include all certificates…>. Select this so that error will not occur
- Click on >Enable strong protection> and click Next.
- Apply a password.
- Give file location and name of the file.
- Click next and finish to complete export.
Error 2: ‘The signature on the certificate was found to be invalid’
When does it occur?
In IBM Domino Admin, when you rename the common name of users. Then go to the Administration Requests database i.e Admin4.nsf to accept requests to start renaming process. After that when you issue “tell adminp process all” command on server console but received following error message:
“The signature on the certificate was found to be invalid”
How to resolve this error?
To complete renaming progress without error, eliminate all requests for renaming from Admin4.nsf database file, firstly recertify the user and then rename the user. Even after if the error is shown means that the certifier on which the users was moved is corrupted.
Conclusion:
In above article we have discussed most of the information about Lotus Domino Server Certificates and its ID file which is called certifier ID. Certificates in Lotus Notes is for providing more security to the users account. We have also discussed the challenges come while setting up the certificates in the Domino server and provides the methods to solve these issues.
A Tip for Notes user:
Sometimes a small complication necessitates moving into alternative platform. Online research says that MS Outlook is most preferable if users are leaving the IBM Notes. The situation requires data file compatibility which is successfully done through a best nsf to pst conversion tool. It will cost you a bit but can solve multiple problems.