Personal Blog of Thomas Hampel - Creative Mythbusting in Development and Collaboration

Who am I?


Previous Document Next Document

Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Thomas Hampel
 9 May 2014

I'm wondering why internet mails are still sent unencrypted, at least for a large extend. You should not make it too easy for your enemy to spy on you just by sniffing your internet traffic. This blog post is a reminder for Domino admins who still force mails sent unencrypted over the internet to take action now. No, I'm not talking about transport level security for now, this post is to provide end to end encryption.

After having read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm you are ready for securing your internet email with S/MIME.
So lets roll out S/MIME certificates to Notes users in a Domino domain:

Basic steps are:

1. Create a key ring file
that contains a self signed (or trusted ) certificate
For more information on how to create a self signed CA, read the-dummies-guide-to-2048-bit-ssl-self-signed-certificates-in-domino.htm

2. Set up the CA process in Domino

Nobody wants to deploy S/MIME certificates to users manually, so it is recommended to
set up the CA process in Domino,
otherwise an Admin needs to enter the password of the keystore every time a new user is being registered.

3. Migrate an (internet) Certifier into the CA

Just read and follow
instructions for migrating an existing Certifier/KeyRing , or create a new one using the use the step by step instructions starting with slide #89
Remark: You must refresh the CA process in order to see the newly migrated certifier, use the server command "tell ca refresh" and "tell ca status"

4. Rolling out Internet Certificates to Users

Follow instructions for
Issuing Internet certificates in a Person document or use the  step by step instructions starting with slide #149
Here the CA process becomes very handy when the rollout is done in waves.


Once AdminP completed, the Notes Client will pick up the new keys the next time it authenticates with the Domino server and the new S/MIME certificate will then be merged into the users ID file.
If an IDVault is in use, the Notes Client will then upload the ID file to the vault automatically.

What about Step-by-Step deployment instructions?

Those have already been provided byTom Truitt's in his Lotushpere 2011 presentation
SHOW104 - Crispy Certificates with Spicy SSL Salsa
One might also want to know
how to enable S/MIME in BlackBerry Enterprise Service 10 and should keep in mind S/MIME in IBM Notes Traveler still seems to be an issue (Reference Technote #7039769 )

How to obtain the internet certificate's public key of a user?

When receiving internet mail users of the same domain can pick up the public key of a user from the Domino Directory, but users receiving mail from the internet need to ask the sender for a signed email to add the senders internet certificate to local address book manually. The option can be found in the "Add Sender to Contacts" dialog box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

at the very bottom there's a small check box...

Image:Making Internet Mail Secure with just a few clicks - S/MIME in Domino

Now you can send & encrypted mail(s) via the internet - sniffing network traffic wont provide the mail body in clear text anymore.
Of course enabling S/MIME for external communication is just a first small step and you know its not a perfect way
to protect your privacy forever.

Overall, this is just some very basic knowledge every Domino administrator should have applied for years, but unfortunately...
Yes, there is more to say about S/MIME in Domino, a lot more - so there will be another blog post about this topic.

Further reading
Tagged with: Domino Notes SSL Tools
No Comments Found
Go ElsewhereSubscribe to RSSAboutStay ConnectedAnd More
Thomas Hampel, All rights reserved.