This forum is closed to new posts and
responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:
PKCS#11 v2.0.1+ using the RSA Asymmetric Client Signing Profile from the PKCS#11 Conformance Profile Specification
Any PKCS#11 cryptographic token that supports the RSA Asymmetric Client Signing Profile and the Large Applications Profile from the PKCS#11 Conformance Profile Specification should work fine with Notes/Domino. If you're just doing S/MIME and aren't using the card for anything else, only the former is truly necessary. One of the most likely points of failure that we've seen in the past is keys/certs on the cards that don't fit the following requirement from that first profile:
A unique non-null CKA_ID value exists and has proper associations for all keys and certificates.
If you set DEBUG_PKCS11=3 in your notes.ini and restart the client, you'll see a great deal of smartcard-related information including all of the calls to the PKCS#11 library and any errors returned logged to the console / debug output file.
Do you also have the relevant certificate and/or private key in your ID file? That might be confusing matters somewhat. I'd recommend a fresh ID file and/or a fresh token. Don't import or export anything to or from the ID file, don't lock the ID file with the smartcard, just leave the keys and certs only on the smartcard. As long as the PKCS11_Library notes.ini variable is set correctly -- you'll be able to tell because the user security panel will show information about the library and token -- when decrypting an encrypted S/MIME message, Notes will check on the token for the key (cert, actually, then private key with the same CKA_ID, darn you S/MIME spec writers...) needed to decrypt the message. Similarly, when sending a signed S/MIME message in this scenario, you'll be prompted to pick a signing key if you have a token with signing-capable certs/keys plugged in currently. For best results, the certificates should be public so Notes can find them without prompting you for your PIN; in that scenario you'll only be prompted for your PIN if Notes needs to use one of the private RSA keys for something.
Feedback response number DKEN8FPLYC created by ~Ben Umboosichekader on 04/07/2011
PKCS#11 v2.0.1+ using the RSA Asymmetric Client Signing Profile from the PKCS#11 Conformance Profile Specification
Return to top
. . PKCS#11 v2.0.1+ using the RSA Asymm... (~Tanita Desweve... 7.Apr.11) 
