Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    Cross Certifing a Notes ID only works with a Safe.ID via C-API/Lotus Script/Java

    Daniel Nashed  24 July 2019 08:03:35

    For the Docker project I looked into cross certifying IDs via C-API and the Lotus Script/Notes Java classes.
    It turned out that this only works well for safe.ids. The information from the ID files which is needed for cross certification requires to open the Notes.ID.

    In Lotus Script/Java in a client you are prompted for the password. On C-API there is an error returned for a normal ID --  Wrong Password. (Passwords are case sensitive - be sure to use correct upper and lower case.).

    This behavior isn't documented and they don't mention that it only works well for safe.ids. There is no way to specify the password for the Notes.ID to be cross certified.
    I have a support ticket open and they created an enhancement request.
    They also created an AHA idea for me ->
    https://domino.ideas.aha.io/ideas/DOMINO-I-875

    In Lotus Script/Java there isn't a way to check in advance if a Notes.ID is a safe.id. In C-API you can check before calling REGCrossCertifyID () if the ID is a safe.id.
    This call has been around for a long time and I am surprised nobody ever reported this limitation.

    For the Docker project it makes sense to pass a safe.id anyway. So for us it's not really a show stopper.

    It looks like the limitation is that reading the public key from the Notes.ID already needs the password.


    In the client you can create a cross certificate from a signature. But this isn't available in any exposed API either.
    Having a way to create a cross certificate from a signature would helpful for auto registration applications ;-)
    A signed request could be used to cross certify the ID...

    -- Daniel

    Archives


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]