Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status No Plans to Implement
Workspace Domino
Categories Security
Created by Guest
Created on Nov 16, 2021

Provide some way to find back password of root cert.id or change / reset it to a new one when forgetting the old password

The customer's old Domino Server administrator moved to another company, but did not tell the new administrator the password for the root cert.id used for this customer.

The customer asked the HCL to provide some way find back the password or change / reset the password.

But currently there is no way to do that.


Please provide some way in future release to help customer find back back the password or change / reset it to a new one.

  • Attach files
  • Guest
    Reply
    |
    Nov 16, 2021

    Certifier IDs and certificates form the basis of HCL Domino® security. The cert.id is the root for the Domino internal PKI and the root of Dominos Security concept.

    As documented at https://help.hcltechsw.com/domino/12.0.0/admin/plan_certifieridsandcertificates_c.html by default, the Server Setup program stores the certifier ID file in the directory you specify as the Domino data directory. The documentation further states:
    To ensure security, store certifiers in a secure location -- such as a disk locked in a secure area.

    Domino is designed in lieu with Kerckhoffs's principle, that a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.

    Therefore adding a back door to read/change/reset the password if the cert.id (which is basically the private key to the root certificate of the Domino PKI of that Domino environment) would severely impact the security of Domino.


    In the case of the operational error that the cert.id password is no longer known, the only option is to recreate the whole certifier infratructure, which would include loss to encrypted data, etc (which could be in some cases mitigated, ...).


  • Guest
    Reply
    |
    Nov 16, 2021

    <comment removed>

  • Guest
    Reply
    |
    Nov 16, 2021

    I’m very troubled...
    Has that ever happened to you?