This forum is closed to new posts and
responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:
So, notes is smart enough to sign my documents ones again ? This seemed not to work @ Version 6.02 - i double check.
You don't need to re-sign anything. The original signatures were never removed. Adding the exact same certificate again just re-activates the deleted cert and private key.
Notes doesn't currently cleanly handle having objects on the token that it needs being deleted out from under it. I've written an SPR (DKEN5V2PRT) to add a few more checks to the "move private key to smartcard" process.
Could you supply my a download link ? Ive searched the download section and didnt find it - or do i need business partner access ? Furthermore - when will this SPR be applied to an official release ?
Since I only wrote the SPR last Friday, a fix is definitely not downloadable yet. If you want a fix RSN, you should open a support incident, especially since the workaround -- don't delete objects that are in use from the token -- is fairly simple.
Your default signing certificate is configured in the ID file, but the default encryption certificate is configured in the public directory. Check your person record in the public directory that the sender is using and confirm that your "exported" certificate is the default encryption certificate. Once the sender is encrypting with the correct key, that particular problem should go away. When you export a private key to the token, the copy of the key in the ID file is deleted, so it's definitely not decrypting with a copy of the key in the ID file.
Well, i guess you are right - the problem was the notes client didnt use x509 encryption but notes encryption. AFAIK i can only supply public keys from signed emails - i cannot import them directly into my NAB or is there a way to change that programmatically... i mean you were talking about the encryption certificate settings - but arent these taken from the Domino Server NAB and not from the Personal ?
By the "public directory" I was referring to the public NAB on the server, not the personal NAB on the client.
There are several ways to make the client use S/MIME instead of Notes mail. In your location record, you can set "Format for messages addressed to internet addresses" to "MIME Format", and then address the message to "foo@bar.com" instead of Foo/Bar. In the recipient's person record on the server's NAB, you can set "Format preference for incoming mail" to "Prefers MIME".
You can set the default X.509 encryption cert in the server's directory by going to the Certificates/Internet Certificates pane in the person record, selecting "Examine Internet Certificates", and then selecting a certificate from the list box and pressing the "Set as default for encryption" button.
Once the mail being sent is MIME and encrypted and the recipient has an Internet cert in the directory and the cert corresponding to the private key on the smartcard is the default encryption cert, you'll start seeing the smartcard used for decryption.
And there is an Action for "Import Internet Certificates" that you can use to import X.509 certs from a PKCS#12 file directly into the server's NAB.
Lastly, another issue ive got so far - how do i switch back from the smartcard usage of an ID - currently i make a backup copy of the ID file - if i dont want to use the smartcard anymore i just overwrite my ID file and use it instead of the other ones... There is a menu "Enable Smartcard Login" ... shouldnt there be an option "Disable Smartcard Login" ?
A menu option to "Disable Smartcard Login" would potentially allow users to over-ride administrator policy... if an administrator issues a smartcard to a user, it is expected that the admin wouldn't want the user to be able to disable smartcard login and keep using his password-protected ID file.
The only supported means of switching back from the smartcard usage of an ID is to use the ID File Recovery feature. But, as you pointed out, just keeping a pre-smartcard copy of the ID around works as well, although keeping password-protected backup copies of the ID file around in a production environment could be considered a security risk.
BTW : How do you color the text within an response ? My font tags get always parsed out even tho i use brackets [ ]
I don't read this forum through a web browser, but it's fairly trivial to do in the Notes Client. Try asking that to the forum as a whole -- odds are that someone here knows. :)
Return to top
. . . . . . RE: SmardCard Delete Key Problem / ... (~Tanita Desweve... 13.Jan.04) 
Print this page
