In February of 2003 I had to have X.509 certificates issued by a self-made OpenSSL CA (Certification Authority) automatically imported into a Lotus Notes address book, which turned out to be a bit more difficult than anticipated and Lotus support didn’t have a solution. At the time, I posted the problem to LDD:

I’m trying to add X.509 public userCertificates to the Domino Directory, or rather to a personal address book and need to know how to store them. A usercertificate which was imported “legally” shows up like properties Now that is not a hexadecimal representation (because of the ‘G’). Does anybody know how I could programatically import certificates, either in binary DER or in PEM format into a personal address book or even the Domino Directory ?

Since I’ve been asked recently, here a summary of what I did:

We wanted to have user’s public certificates (no private keys, mind you; those must be stored in a user’s .ID file) in an address book accessible to Notes users when on the road. Any solution such as directory catalog (replicated to clients) or a personal name and address book (PNAB) would be fine. These are my notes:

As was confirmed to me after opening an incident (#1546258) in January 2003, Internet certificates cannot be held in a Directory Catalog. They are truncated during creation/maintenance of the catalog which is a bug. Quite apart from that, even if they existed in full, the Notes client (R5 and R6) only supports X.509 certificates when they can be retrieved from the user’s personal address book on the workstation (names.nsf). According to support, they are also supported when in the Domino Directory (names.nsf), but we haven’t yet tested that. Quite apart from that, they’d be useless there, because that means they cannot be used from an offline mobile client.

From the Personal Address Book (PNAB), a pre-configured LDAP directory can be queried to retrieve the certificate for a user. This modus operandi is terribly slow (and of course requires an online connection to the LDAP server). When the entry for the specified user is retrieved, it can be copied into the PNAB including the contained userCertificate attribute type (what about multiple certificates?) Idiotically, if an entry in the PAB with the same name (name, for goodness sakes!) exists, the operation is aborted with the message: An entry with this name is already in a local address book, making the whole procedure totally useless, except to those that do not yet have personal address book entries... If only a merge of the directory entry and the PNAB entry where offerred...

I wanted to create the entries automatically in the PNAB which isn’t possible as the procedure to do so isn’t documented and may change at any time. That is why I took a convoluted route: via LDAP I populate the appropriate fields in the domino directory (userCertificate).

Periodically, a Lotusscript agent sucks those entries which have a userCertificate into a database based on a personal names.nsf template (not domino directory, but personal address book). That is stored on a server and is replicated to the client workstations. The workstations have that (lets call it certnab.nsf) database in their preferences in addition to the local names.nsf.

It works well for us.


blog comments powered by Disqus