HCL Domino Ideas Portal
Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.
For more information and upcoming events around #dominoforever, please visit our Destination Domino Page
Certifier IDs and certificates form the basis of HCL Domino® security. The cert.id is the root for the Domino internal PKI and the root of Dominos Security concept.
As documented at https://help.hcltechsw.com/domino/12.0.0/admin/plan_certifieridsandcertificates_c.html by default, the Server Setup program stores the certifier ID file in the directory you specify as the Domino data directory. The documentation further states:
To ensure security, store certifiers in a secure location -- such as a disk locked in a secure area.Domino is designed in lieu with Kerckhoffs's principle, that a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.
Therefore adding a back door to read/change/reset the password if the cert.id (which is basically the private key to the root certificate of the Domino PKI of that Domino environment) would severely impact the security of Domino.
In the case of the operational error that the cert.id password is no longer known, the only option is to recreate the whole certifier infratructure, which would include loss to encrypted data, etc (which could be in some cases mitigated, ...).
<comment removed>
I’m very troubled...
Has that ever happened to you?