I had to deal with some cross certification today. In other words Server A/Domain A needs to communicate with Server A,B,…/Domain B.
Considering this blog as kind of self-documentation it’s time to write something about cross certification in the Lotus Notes/Domino environment.
‘Joe public’ medium sized companies might not run into this issue where different domains or members of domains need to communicate with each other. But once you need to have two different companies/organizations have to communicate with each other cross certification becomes a topic.
Honestly, cross certification had always been a bit of a worry for me until today. Most probably because the information describing the procedure in the administrator’s help are quite complicated and not easy to follow when you haven’t seen the procedure ‘live’ before. However, I still want to recommend having a look through the manual first before touching anything.
First of all you have to decide on which level of the domain hierarchies you want the cross certification to occur. Imagine a server name like
whereas CN is the Common Name
OU the Organizational Unit
O the Organisation and
C the Country
you are able to cross certificate against the server Mail, the organizational unit Sales as well as the organization Cubetoon.
Cross certifying OtherServer1/OrganizationB from the imagined partner organization with the organizational unit Sales allows this server to communicate with all servers residing within this level. A cross certificate between OtherServer1/OrganizationB and CubeMail/Sales/Cubetoon/NZ explicitly allows the connection between these two identities.
Important to keep in mind is that cross certification isn’t a one-way street. Administrators on both sides of the organizations need to cross certify the opposite party to allow communication to occur. On a server-to-server certification Cubetoon needs to cross certify OtherServer1 as well as OrganizationB needs to cross certify OtherServer1 against Mail.