Lost cert.id password, Is there any way to fix that?

[lottopol]

I am trying to recertify a lotus notes certificate that has expired. I opened the admin client but was asked for a cert.id password which I do not know and the only people who might know it can not be found. Does anyone know how to handle this situation

Thanks

 

[Edgar71]

From Lotus knowledgebase

Problem:

What should an Administrator do if a Notes/Domino Certifier ID has been lost, stolen or compromised?

Solution:

The following information describes how to recertify with a new CERT.ID and lock down the Public Address Book.

The good news is that the threat posed by someone with your Certifier ID can be contained and stopped. The bad news is that the recertification process is a manually-intensive process, making it somewhat difficult to recertify an organization.

A. Defining the Threat

The first step is to determine what a person with an organization's Certifier ID can do so that you know what activities can be prevented. The following is a list of the activities that a person with your organization's Certifier ID can do:

1. Create new user IDs, or forge duplicate user IDs which appear to have the same user name as an existing user but which actually have a different public key/private key pair from the original user's ID.

2. Create new server IDs, or forge duplicate servers (same as above) having different public key/private key pairs.

3. Create cross-certificates.

4. Create organizational level Certifier IDs.

5. Recertify existing user IDs and server IDs that have expired.


B. Containment Steps

Next you should determine what steps can be taken to stop someone who holds the Certifier ID. The following list of steps allows you to stop the activities of an unauthorized person holding your Certifier ID.

1. Tightly restrict access to the Public Address Book. Set default Access Control List (ACL) access to Reader. Restrict who you grant Author and higher rights in the ACL.

2. Turn on the following settings in every Server document:

- "Compare public keys against those stored in Address Book"
- "Only allow server access to users listed in this Address Book"

3. Turn on the following settings in the Public Address Book's ACL:

- "Enforce a consistent Access Control List across all replicas of this database"

4. Check each Server ID for any old or invalid flat certificates.

5. Restart each Notes server after making the changes to the Server documents.

6. Remove any old or invalid Person documents from the Public Address Book.

7. Remove any old or invalid Server documents from the Public Address Book.

8. Remove any old or invalid cross-certificates or Certificate documents from the Public Address Book.

NOTE: These steps apply specifically to the problem of a compromised Certifier ID. This is not intended to be an exhaustive list of the normal procedures and policies that you should already have in place to ensure the security of your environment, such as physical security, network operating system security, ensuring that database administrators understand their role in controlling who is granted ACL rights, etc.


C. Recertification Options

The following are possible workarounds:

1. Do nothing. Once the environment is secured and the threat of someone with your Certifier ID is contained, you can opt to do nothing else. You do not have to issue a new certifier to contain the threat. You could wait for a future product enhancement that would automate the recertification process and make it more convenient.

2. Migrate users and servers to a new Organization name and certifier. The good news is that the Administration Process (AdminP), makes it easier to roll out a name change for users. The bad news is that the process of renaming servers is manual and very detailed. The process of changing the distinguished names of all your servers would be a lot of work. Server renaming is not supported by AdminP.

3. Recertify manually. The bad news is that this is a manual process and takes time.

4. Attempt to automate the parts of the manual recertification process that affect each user through such things as agents, script, or emails with buttons.