Customizing a Notes install kit to set certifier and trust defaults

You can configure the deploy.nsf application to specify administrative trust settings using an Export option in the server's Domino® Directory (names.nsf) to add those settings to the install kit's deploy.nsf application.

About this task

The administrative trust defaults in deploy.nsf and the Internet certifiers in the install kit's Java™ keystore are processed to define trusted certifiers. The keystore is used directly during install, but is ignored at runtime. The deploy.nsf is processed at startup to add trust certifiers to the user's Contacts application (names.nsf) to be used at runtime.

You can install the deploy.nsf application as part of a Notes® client install kit.

You cannot manually edit or delete certificates in the deploy.nsf. You can only make changes to the installed deploy.nsf only by exporting from the server's Domino Directory to a new deploy.nsf and then overwriting the installed deploy.nsf with the new file. The notes.ini statement FORCE_PROCESS_DEPLOY_NSF=1 ensures that the deploy.nsf application is processed. Alternatively, you can simply use Domino policy. If there are certificates listed in the installed deploy.nsf and you overwrite the with a new deploy.nsf, any certificates that are not in the new deploy.nsf are deleted. If you are going to use this technique, maintain a central and cumulative deploy.nsf so as not to unintentionally delete certificates from a user's system.

Pushing administrative trust settings to users by customizing the install kit enables you to do the following:

You can alternatively push administrative trust settings to users from Domino policy, which is the recommended method, to centrally manage and change settings as needed.

Note: You should use the action Export Certificates to Deploy Database only to make changes to an existing deploy.nsf.

Note: If you use the Domino policy method (Keys and Certificates tab on the Security policy page) to push trust settings, then even if there is an installed deploy.nsf it will be ignored and the policy settings will instead be used. Any certificates resident in the Contacts application because of the deploy.nsf, and that are not specified in Domino policy, will be removed.

To add administrative trust settings to an install kit without pushing those settings from the Keys and Certificate tab on the Security policy page, proceed as follows.


1. Log into a Domino Administrator or Notes client using an administrative ID.

2. Open the server's Domino Directory (names.nsf).
3. Open the Security/Certificates view.

4. Select all the Internet certifiers, and Notes and Internet cross-certificates, that you want to deploy.

5. Click Export Certificates to the Deploy Database on the Actions menu.

6. Specify the location at which to create the Java keystores and the deploy.nsf application.

7. Respond to the force deletes prompt and click Next.
8. Copy the .keystore* files to the deploy directory of the kit and the ddeploy.nsf to the deploy/extras directory of the kit.
9. Run the Notes installation program.
Parent topic: Customizing Notes install for features and plug-ins on Windows and Mac

Related tasks
Pushing trusted certificates to Notes clients
Pushing certificates to clients through security policy settings
Creating a cross-certificate from a Notes certifier
Creating an Internet cross-certificate in the Domino Directory from a certifier document
Signing custom or third-party features and plug-ins for install and update