Lotus Notes: issue when import Symantec/Verisign certificate

0

In order to sign/encrypt Email I have installed Verisign S-Mime Certificate from Verisign and exported it from IE as a .pfx (PKCS #12).

My problem is when I tried to import it in Security > My Identity > your Certification > Import certificate I got this error:

The signature on the server is invalid, detail can be found in protocol

I have seen on the Internet that I have to be sure that the root certificate VeriSign_Class_1_Public_Primary_Certification_Authority _G3 and intermediate certificate Symantec Class 1 Individual Subscriber - G5 are installed.

In my case when I check in IE I find all the certificates but in Lotus Notes Fichier > security > identity of Other > certification > Internet All I see the root Verisign but I don't find the intermediate certificate (Symantec ...).

How can I import this intermediate certificate and does anyone have any idea if this is really the source of the issue?

I use Lotus Notes 8.5

Mah54

Posted 2016-04-04T10:36:25.107

Reputation: 1

This is not a security issue, but a Lotus Notes config issue. Please contact Lotus Notes support or guides for help. – schroeder – 2016-04-04T15:06:31.490

Answers

0

The reason for the error is that in order to import a certificate into your ID you need the complete certificate chain to be trusted. By default some of the newer intermediate certificates are neither in the domino directory nor in your personal address book nor in your id file.

If you only need this for yourself, then use the dialog you already found to import the root and all intermediates in your id file by using the Your Certificates - Get Certificates - Import Internet Certificates button and add them (top to bottom, root -> intermediate -> personal) to your ID.

If you need this for more than one user, then directly add the intermediate certificate to the domino directory. Then it will be automatically used for every user. To do this open names.nsf on your server, go to Security\Certificates view and click on Actions - Import Internet Certificates. Then select the certificates and import them.

In order for certificates to work it is VERY important to:

  • import them in the right order
  • don't forget any intermediate
  • make sure, that you have the COMPLETE and CORRECT chain

I will give one example (it is for server certificates, but the same is true for mime certificates):

If you have a Thawte 123 Server certificate, then you FIRST need the Thawte Premium Server:

    Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
    Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

This information can be extracted using the free openssl- tool with the command openssl x509 -in filenamewithcert.pem -text

You see: in this certificate issuer and subject are identical: This is the self signed root.

Then you need the thawte Primary Root:

    Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server  CA/emailAddress=premium-server@thawte.com
    Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA

You see: The ISSUER is the first imported cert. This is IMPORTANT, that they match.

And the last one -before your own server cert- is the Thawte DV SSL CA:

    Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA
    Subject: C=US, O=Thawte, Inc., OU=Domain Validated SSL, CN=Thawte DV SSL CA

That itself is signed by the Primary root.

Very often the signers of your certificates do not make it easy for you to find out, which certificates are used to sign your own. Use openssl to find out and "reverse engineer" the right order. If you import everything in THIS order and don't leave out any intermediate, then it will work.

Torsten Link

Posted 2016-04-04T10:36:25.107

Reputation: 970

@Tortsten: Thank you for your answer. Actually i have no problem to add the root Certificate, it is already on my Domino Directory and I can add it also through Security > My Identity > Get Certificates > Import Internet Certificates

the issue is when I try to do the same Thing with the Intermediate Certificate i got the same error :

The signature on the server is invalid, detail can be found in protocol

– Mah54 – 2016-04-05T11:00:49.387

i follow you to add the intermediate through Actions - Import Internet Certificates in Name.nsf and it's okey the Import of all the certificates (Root+Intermediate+personal) it succeeds but in Security > My Identity > Get Certificates >Internet Certificates i still not see my Personal Certificate and when i try to send a certified Email to on external adress (Gmail/Yahoo) I got a message that tells me : – Mah54 – 2016-04-05T11:02:56.293

"You have requested to sign this Internet message, but your current ID does not contain or does not specify an Internet certificate for signing. Select OK to send this message anyway. Select Cancel to not send the message" – Mah54 – 2016-04-05T11:03:15.450

for Information, I have added my personal Certificate in my NAB through Actions - Import Internet Certificates

But when I check on File> Security> Mail> Option for Mails...> Configuration Certificate i find no Internet certificate and that's why i can not send a signed Email (Then encrypted) – Mah54 – 2016-04-05T11:03:34.560

please check my edit. – Torsten Link – 2016-04-05T12:54:20.527

Thank you for the information given, but like I said, the Import through My Identity ...>Import Internet Certificates does not working I have the error message The signature on the server is invalid, detail can be found in protocol – Mah54 – 2016-04-05T13:52:38.250

C H E C K T H E C H A I N... – Torsten Link – 2016-04-05T13:53:32.303

I am sure that the order that i used during the Import is correct, I have also contacted the Symantec Support to be sure the the SCHAIN and the order is correct – Mah54 – 2016-04-05T13:58:40.597

for the Moment I added all Certificates in my Names.nsf and merge the Symantec with my ID Notes through Identity of Other> People and Services in the order to make my Personal Certificate TrustWorthly. BUt when I try to send an Email to external @ I receive the message that I mentioned just now : You have requested to sign this Internet message, but your current ID does not contain or does not specify an Internet certificate for signing ... – Mah54 – 2016-04-05T14:08:02.167

Why "Identity of Other"???? I fear, that you should directly contact a professional, this is to much to support here on superuser... – Torsten Link – 2016-04-05T14:15:57.577

0

After researching I would like to share with you the solution for my Problem.

The Notes version 8.5.x does not support SHA-2 and unfortunately they have no hotfix on 8.5.x to support SHA-2.

SHA-2 is only available in Domino 9.0.x because 8.5.x releases "lack the cryptographic infrastructure for SHA-2

That's why i get this error message.

I tested the same Certificate on Notes 9.0.1 and everything ist okey.

For Information :

Microsoft recommends that certificate authorities no longer sign newly generated certificates using the SHA-1 hashing algorithm and begin migrating to SHA-2.

Mah54

Posted 2016-04-04T10:36:25.107

Reputation: 1

Asked: 2016-04-04T10:36:25.107

Viewed: 494 times

Active: 2016-04-13T07:55:49.187