Skip to Main Content
HCL Domino Ideas Portal

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Status Under Consideration
Workspace Domino
Categories Security
Created by Guest
Created on Apr 29, 2019

PKI certificate in the person document - Domino to not check the whole certificate and just the SubjectDN

If that name matches an entry in the Domino Directory, you use the first entry from the full name field for further authorization. Otherwise, you use the common name from the certificate.


More data points for not keeping the entire PKI certificate in the person document and authenticating to it. Just use common name from cert if cert is valid and if common name is in directories, use the person from directory otherwise, use person name from cert.  

1) Different systems send different authentication information for the same certificate.  For example, using the same CAC (card that has PKI certs on it inserted in a card reader), Windows 7, Windows 10, and ActiveIdentity all send different information for authentication though the CAC is the same.

2) Competition, in this case SharePoint, is able to send a specifically crafted request to client for authentication that limits selection to one specific certificate type. Domino and some other systems just ask for a certificate. With Windows 10 especially, you have to select "More" and scroll through a list of certificates that often go off the screen to select the one you want. The list includes any that are on the machine in the person certificate store. SharePoint implementation here is able to limit it to just the certificate(s) they honor out of the multiple types.

  • Attach files
  • Admin
    Thomas Hampel
    Feb 20, 2020

    2.) Domino will also "send a specially crafted request" listing the trusted roots from the server's keyring file. Editing the trusted roots in that keyring file will change which trusted roots are sent in the CertificateRequest message which will change which certificates are selected by the web browser.