The reason for the error is that in order to import a certificate into your ID you need the complete certificate chain to be trusted. By default some of the newer intermediate certificates are neither in the domino directory nor in your personal address book nor in your id file.
If you only need this for yourself, then use the dialog you already found to import the root and all intermediates in your id file by using the Your Certificates - Get Certificates - Import Internet Certificates button and add them (top to bottom, root -> intermediate -> personal) to your ID.
If you need this for more than one user, then directly add the intermediate certificate to the domino directory. Then it will be automatically used for every user. To do this open names.nsf on your server, go to Security\Certificates view and click on Actions - Import Internet Certificates. Then select the certificates and import them.
In order for certificates to work it is VERY important to:
- import them in the right order
- don't forget any intermediate
- make sure, that you have the COMPLETE and CORRECT chain
I will give one example (it is for server certificates, but the same is true for mime certificates):
If you have a Thawte 123 Server certificate, then you FIRST need the Thawte Premium Server:
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com Subject: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com This information can be extracted using the free openssl- tool with the command openssl x509 -in filenamewithcert.pem -text
You see: in this certificate issuer and subject are identical: This is the self signed root.
Then you need the thawte Primary Root:
Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA You see: The ISSUER is the first imported cert. This is IMPORTANT, that they match.
And the last one -before your own server cert- is the Thawte DV SSL CA:
Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA Subject: C=US, O=Thawte, Inc., OU=Domain Validated SSL, CN=Thawte DV SSL CA That itself is signed by the Primary root.
Very often the signers of your certificates do not make it easy for you to find out, which certificates are used to sign your own. Use openssl to find out and "reverse engineer" the right order. If you import everything in THIS order and don't leave out any intermediate, then it will work.