A customer recently reported they were having issues adding people to the Certificate Authority (CA) process. When they attempted to add people, they received the message “Cannot locate user certificate. Make sure server contains your certificate for encryption” as shown in the graphic below.
The customer had already done due diligence and verified their location document had the field “Home/mail server” set to the server where the ICL database resided, therefore meeting the requirement that the server listed in this field be in the same domain as the encrypting server for the CA. Additionally, they ensured the field “Mail file location” was set to ‘Server’ and not ‘Local’ as that is also a requirement.
My first step was to check the status of the CA process on the server via tell ca status. Everything was fine. I next examined the certifier being used, there were no issues found. I now turned my focus to the ICL database. The most recent IDStorage document had been last modified on July 12 2016. That was over 3 months ago, so something else was amiss.
With this knowledge in hand, I clicked the ‘Advanced’ button on the Modify Certifier dialogue to attempt to replace the certifier ID and/or repair the ICL database. This resulted in the same error, of user certificate could not be located. The next step was to determine if there were any invalid Notes certificates in the person documents for the administrators that had been added to the CA process. Once I had the list of CA administrators, I did a quick lookup of each of these users in the Domino directory. What I discovered is that one of the CA administrators was no long in the directory. This now explained the error message as every time the CA Process is updated, the certificates of all current users are verified. Because this user was no longer in the directory, their certificate could not be located.
I had a copy of their Domino directory from earlier in the year stored locally, so I was able to copy the person document of that administrator back into their directory. I then went into Modify the CA Process, removed the administrator that was no longer with the company, and the CA Process updated successfully as shown in the graphic below.
At this point I deleted the person document, using the delete key, not invoking the AdminP process using Delete Person as the user had previously been removed from the domain.
The moral of the story is to always remove an administrator from the CA process BEFORE deleting them from the Domino Directory as AdminP does not update the CA Process as part of the Delete Person process.
Thanks for posting this, it’s one of the many undocumented features of Domino which can so easily lead to spending hours with IBM Support.
There’s a similar issue with ID Vault, which stops harvesting ids if you delete a server that is listed in the Vault config. Adminp deletes servers from everywhere except there.
It wouldn’t surprise me if the same happens with ID Vault when you delete an Admin from the Directory.
You’re very welcome. Yes, similar issues can happen with ID Vault, as you say, it’s too bad these things aren’t documented in the wikis.