logorte
Lotus Notes 9

Lotus Notes 9

Installing RTE’s applications certificates

RTE’s applications certificates will be installed by "Cross certification" when you received your first signed-encrypted email from the application.

Note:

The "Cross certification" is a process which makes a user able to install the certificate of another entity while he receives a message form that entity. Messages sent to that specific entity will be encrypted with that "Cross certification".


Installing RTE CA’s certificates

Installing RTE Historical CA’s certificate

With your web browser go to the address below to download the file "Certification_Autority_RTE_2048.cer" containing RTE Historical CA’s certificate:
https://kregistration-user.certificat2.com/kreg-resources/CSS/RTE/RTE/Certification_Autority_RTE_2048.cer
  • With Internet Explorer:
6.2.1 - 1.jpg
Click the "Save" button and choose a location to save the file "Certification_Autority_RTE_2048.cer"
  • With Mozilla Firefox:
6.2.1 - 2.jpg
Select "Save file" then click "OK". A location to save the file "Certification_Autority_RTE_2048.cer" will eventually be requested.
6.2.1 - 3.jpg
Start Lotus Notes and access to "File > Security > User Security…":
6.2.1 - 4.jpg
If requested, enter your Notes password.
6.2.1 - 5.jpg
The following window appears:
6.2.1 - 6.jpg
Click "Your Identity" then "Your Certificates":
6.2.1 - 7.jpg
Select "Your Internet Certificates" in the drop-down list to display the Internet certificates already imported.

Click the "Get Certificates…" button and select "Import Internet Certificates…":
6.2.1 - 8.jpg
A window appears asking you to select file. Choose to see all the extensions. Select the certificate of RTE Historical AC "Certification_Authority_RTE_2048.cer" previously downloaded:

Click "Open" and in the window below chose the format "Base 64 encoded X.509":
6.2.1 - 9.jpg
Click "Continue".

The window below is displayed:
6.2.1 - 10.jpg
RTE Historical CA’s certificate is listed. If you click "Advanced Details…" the content of the selected certificate appears in the following window:
6.2.1 - 12.jpg
To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Certification Authority" SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline (click here).

Click "Accept All".
6.2.1 - 13.jpg
Click "OK", the certificate has successfully been imported.


Installing RTE Root and RTE Client CAs certificates

In order to import the trust chain made by RTE Root CA and RTE Client CA, it requires to create a PKCS#7 file that contains the 2 certificates of these 2 CAs. To succeed in the file creation, the certificates of RTE Root and RTE Client CAs need to be imported previously in Internet Explorer certificate store or in Mozilla Firefox certificate store.


Creating P7c file containing RTE Root CA/RTE Client CA trust chain with Mozilla Firefox

In the certificate store of Mozilla Firefox, select the RTE Client CA’s certificate "RTE Client Certification Authority" and click on "Export…":
6.2.2.1 - 1.jpg
Choose where to save the file, choose the file type "X.509 Certificate with chain (PKCS#7) (*.p7c)":
6.2.2.1 - 2.jpg
Click on "Save".


Creating P7b file containing RTE Root CA/RTE Client CA trust chain with Internet Explorer

In Internet Explorer certificate store, select the RTE Client CA’s certificate "RTE Client Certification Authority" and click on "Export…":
6.2.2.2 - 1.jpg
The Certificate Export wizard opens, click on "Next":
6.2.2.2 - 2.jpg
6.2.2.2 - 3.jpg
Choose "Cryptographic Message Syntax Standart–PKCS#7 Certificates (.P7B)" option, "Include all certificates in the certification path if possible".
Clik on "Next".
6.2.2.2 - 4.jpg
Click on "Browse…". Choose a place ta save your .p7b file and click on "Save":
6.2.2.2 - 5.jpg
Clik on "Next".
6.2.2.2 - 6.jpg
Clik on "Finish".
6.2.2.2 - 7.jpg
Clik on "Ok".
6.2.2.2 - 7.jpg



Importing PKCS7 file in Lotus Notes 9

Start Lotus Notes and access to "File > Security > User Security…":
6.2.2.3 - 1.jpg
If requested, enter your Notes password.
6.2.2.3 - 2.jpg
The following window appears:
6.2.2.3 - 3.jpg
Click "Your Identity" then "Your Certificates":
6.2.2.3 - 4.jpg
Select "Your Internet Certificates" in the drop-down list to display the Internet certificates already imported.

Click the "Get Certificates…" button and select "Import Internet Certificates…":
6.2.2.3 - 5.jpg
A window appears asking you to select a file, choose PKCS#7 type of file (extension ".p7b" or ".p7c").
  • The process on Mozilla Firefox and Internet Explorer
    6.2.2.3 - 6.jpg
    Select the .p7c file containing the trust chain RTE Root CA / RTE Client CA.

Click "Open" and the window below is displayed:
6.2.2.3 - 8.jpg
To see the content of the RTE Root CA’s certificate, you must select it.
If you click on "Advanced Details…", a window show you the details of the selected certificate:
6.2.2.3 - 9.jpg
To ensure that you import the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Root Certification Authority"

SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline.
Click "Close" to return to the initial window: "Import Internet Certificates"

To see the content of the RTE Client CA’s certificate, you must select it.
If you click on "Advanced Details…", a window show you the details of the selected certificate:
6.2.2.3 - 10.jpg
To ensure that you import the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Client Certification Authority"

SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline
If this is the case, click "Close" to return to the initial window: "Import Internet Certificates".

Click on "Accept It All"
6.2.2.3 - 11.jpg



Installing your personal certificate signed by RTE Historical CA

Creation of a PKCS#12 file readable by Notes

Lotus Notes can install a certificate and its associated private key only from a PKCS #12 file that contains the trust chain (RTE Historical CA / personal certificate). This is not the case for the file "name_certificate.p12" you downloaded when you retrieved your certificate.

To generate a file accepted by Lotus Notes, install RTE CA’s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below.
  • With Microsoft Internet Explorer:
    • Install the three certificate of RTE CAs
    • Install your personal certificate making sure to check the case "Mark this key as exportable."
    • Export your certificate in a PKCS#12 file making sure to check the case "Include all certificates in the certification path if possible".
  • With Mozilla Firefox:
    • Install the three certificate of RTE CAs
    • Install your personal certificate
    • Export your certificate to a PKCS#12 file.


Installing the PKCS#12 file in Notes

Start Lotus Notes and access to "File > Security > User Security…":
6.3.2 - 1.jpg
If requested, enter your Notes password.

The following window appears:
6.3.2 - 2.jpg
Click "Your Identity" then "Your Certificates":
6.3.2 - 3.jpg
Select "Your Internet Certificates" in the drop-down list to display the Internet certificates already imported.

Click the "Get Certificates…" button and select "Import Internet Certificates…":
6.3.2 - 4.jpg
A window appears asking you to select a PKCS#12 file (extension ".pfx" or ".p12").

Select the file containing your personal certificate, its private key and RTE Historical CA certificate:
6.3.2 - 5.jpg
Click "Open" and in the window below chose the format PKCS 12:
6.3.2 - 6.jpg
Click "Continue". The PKCS12 file’s password is requested:
6.3.2 - 7.jpg
Click "OK" and the window below is displayed:
6.3.2 - 8.jpg
Your certificate, you want to import, and the certificate of RTE Historical CA, are listed. If you click "Advanced Details…" the content of the selected certificate (yours) appears in the window:
6.3.2 - 9.jpg
Click "Close" to go back to the previous window.

To see the content of RTE Historical CA’s certificate, you must select it:
6.3.2 - 10.jpg
And click "Advanced Details…":
6.3.2 - 11.jpg
To ensure that you are installing the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Certification Authority" SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline (click here).

Click "Close" to go back to the main screen:
6.3.2 - 12.jpg
Click "Accept All".

If necessary, enter your Notes password and click "OK".
6.3.2 - 13.jpg
The certificate, now visible here, has successfully been imported. Click "OK" to end the import.


Visualization of the certificate

To view your certificate, access the menu "File > Security > User Security…", then click the item "Your Identity" and "Your Certificates".
Select "Your Internet Certificates" in the drop-down list.
6.3.3 - 1.jpg
Select your personal certificate and click the "Advanced Details…" button. The certificate’s details are then presented in the window below:
6.3.3 - 2.jpg
To view RTE Historical CA’s certificate, access the menu "File > Security > User Security…", then click the item "Your Identity" and "Your Certificates".
Select "All Internet Certificates" in the drop-down list.
6.3.3 - 3.jpg
To see the content of RTE Historical CA’s certificate, you must select it, and click "Advanced Details…":
6.3.3 - 4.jpg
To ensure that you have downloaded the real RTE Historical CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Certification Authority" SHA1

SHA1 39:83:D6:10:A2:C4:D5:60:45:A0:C1:D0:E3:FA:E1:42:45:8A:37:12
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline (click here).


Installing your personal certificate signed by the new PKI of RTE

Creation of a PKCS#12 file readable by Notes

Lotus Notes can install a certificate and its associated private key only from a PKC #12 file that contains the trust chain (RTE Root CA / RTE Client CA / personal certificate). This is not the case for the file "name_certificate.p12" you downloaded when you retrieved your certificate.

To generate a file accepted by Lotus Notes, install RTE CA’s certificate and your certificates in a browser and then export your personal certificate as a PKCS#12 file. Depending on the browser you are using, perform one of the procedures below.
  • With Internet Explorer:
    • Install the three certificate of RTE CAs
    • Install your personal certificate making sure to check the case "Mark this key as exportable."
    • Export your certificate in a PKCS#12 file making sure to check the case "Include all certificates in the certification path if possible"
  • With Mozilla Firefox:
    • Install the three certificate of RTE CAs
    • Install your personal certificate
    • Export your certificate to a PKCS#12 file.



Installing the PKCS#12 file in Notes

Start Lotus Notes and access to "File > Security > User Security…":
6.4.2 - 1.jpg
If requested, enter your Notes password.

The following window appears:
6.4.2 - 2.jpg
Click "Your Identity" then "Your Certificates":
6.4.2 - 3.jpg
Select "Your Internet Certificates" in the drop-down list to display the Internet certificates already imported.

Click the "Get Certificates…" button and select "Import Internet Certificates…":
6.4.2 - 4.jpg
A window appears asking you to select a PKCS#12 file (extension ".pfx" or ".p12").

Select the file containing your personal certificate, its private key and RTE Root CA and RTE Client CA certificates:
6.4.2 - 5.jpg
Click "Open" and in the window below chose the format PKCS 12:
6.4.2 - 6.jpg
Click "Continue". The PKCS12 file’s password is requested:
6.4.2 - 7.jpg
Click "OK" and the window below is displayed:
6.4.2 - 8.jpg
Your certificate, you want to import, and the trust chain, are listed. If you click "Advanced Details…" the content of the selected certificate (yours) appears in the window:
6.4.2 - 9.jpg
Click "Close" to go back to the previous window.

To see the content of the RTE Root CA’s certificate, you must select it.
6.4.2 - 10.jpg
If you click on "Advanced Details…", a window show you the details of the selected certificate:
6.4.2 - 11.jpg
To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Root Certification Authority" SHA1

SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline.

Click "Close" to return to the initial window: "Import Internet Certificates"

To see the content of the RTE Client CA’s certificate, you must select it.

If you click on "Advanced Details…", a window show you the details of the selected certificate:
6.4.2 - 12.jpg
To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Client Certification Authority" SHA1

SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed
If this is not the case: click "Close" to go back to the precedent window and click "Cancel" then call RTE’s Hotline

If this is the case, click "Close" to return to the initial window: "Import Internet Certificates"
6.4.2 - 13.jpg
Click "Accept All".

If necessary, enter your Notes password and click "OK".
6.4.2 - 14.jpg
Click "OK", the window below appears:
6.4.2 - 15.jpg
The certificate, now visible here, has successfully been imported. Click "OK" to end the import.


Visualization of the certificat

To view your certificate, access the menu "File > Security > User Security…", then click the item "Your Identity" and "Your Certificates".
Select "Your Internet Certificates" in the drop-down list.
6.4.3 - 1.jpg
Select your personal certificate and click the "Advanced Details…" button. The certificate’s details are then presented in the window below:
6.4.3 - 2.jpg
To view RTE Root CA and RTE Client CA’s certificates, access the menu "File > Security > User Security…", then click the item "Your Identity" and "Your Certificates".
Select "All Internet Certificates" in the drop-down list.
6.4.3 - 3.jpg
To see the content of the RTE Root CA’s certificate, you must select it. If you click on "Advanced Details…", a window show you the details of the selected certificate:
6.4.3 - 4.jpg
To ensure that you have downloaded the real RTE Root CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Root Certification Authority"

SHA1 00:64:8c:01:f4:02:9d:dc:6b:4e:1e:37:ae:76:28:75:17:b1:72:ff
If this is not the case: click "Close" to go back to the precedent window and call RTE’s Hotline. Click "Close" to return to the initial window.
To see the content of the RTE Client CA’s certificate, you must select it.

If you click on "Advanced Details…", a window show you the details of the selected certificate:
6.4.3 - 5.jpg
To ensure that you have downloaded the real RTE Client CA's certificate, check carefully that the "SHA1" hash displayed is identical to the one shown below.
Digital hash of the certificate "RTE Client Certification Authority" SHA1

SHA1 C8:53:de:36:da:fd:38:37:c3:de:a5:6c:b0:d1:eb:06:28:f6:dc:ed
If this is not the case: click "Close" to go back to the precedent window and call RTE’s Hotline

Click "Close" to return to the initial window.


Email account configuration

If you have multiple certificates used to sign your sent messages, you have to set by default the one that will serve for exchanges with RTE.

In Lotus Notes, open the menu "File > Security > User Security…", then click "Your Identity" and "Your Certificates":
6.5 - 1.jpg
Select "Your Internet Certificates" in the drop-down list to display your Internet certificates that are already imported.

Select your certificate and click the "Advanced Details" button.
6.5 - 2.jpg
If you only have one certificate, the case "Use this certificate as your default signing certificate" will be grey and checked. If not, check it, as above, and click "OK".


Installing RTE’s application certificate

When you select, for the first time, a signed and encrypted message you received a dialog box similar to the one below appears, allowing you to give your trust to the issuer:
6.6 - 1.jpg
For this, you must click on the "Cross certify" button.

Then, when you display this signed received message, you will need to choose the "Add Sender to Contacts…" feature, which will add the issuer and its certificate to your book Address.
6.6 - 2.jpg
The following window appears:
6.6 - 3.jpg
Only verify that the case "Include X.509 certificates when encountered" is checked and click "OK".

Whenever an encrypted email will be sent to this application, its installed certificate will now automatically be selected to perform the encryption.


Using the certificate: sending a signed-encrypted email

When composing a message, you can sign and encrypt it if you have your own and correspondent certificate (see the import procedure for your certificate above).
6.7 - 1.jpg
For that, when you write a new message, you must click the "Delivery Options" button and check the "Sign" and "Encrypt" cases as shown below:
6.7 - 2.jpg
Click "OK".
That is all, Notes then automatically signs and encrypts your message.