Starting from version 8.5 of Domino the ID Vault has been introduced, a feature that we know very well. And the release of v8.5 dates back to exactly 10 years ago (January 2009).
This is not a problem: it means that the ID Vault is now a stable and widely used feature, nevertheless it also hides a latent problem.

When you create a new ID Vault, the process automatically creates a new certificate connected to the Vault itself, to manage its security and during the creation phase the validity of the certificate is automatically set to 10 years.

This means that whoever created the ID Vault right after the version 8.5 deployment is now close to the expiration of the related certificate.
What are the consequences?

To put it simply, you can no longer operate on the Vault: for example if you try to reset a password through the ID Vault you get a message of this type: “Server error: the Address Book does not contain a cross certificate capable of validating the public key“.
Or if you download an ID from the Vault you won’t be able to use it, as Notes will display the message “Not a valid ID or the ID is corrupted“.
So, the ID Vault has become totally unusable just because its certificate is no longer valid.
Do you want to check your situation? Open the names.nsf on your server, go to security / certificates, find the Vault Trust Certificate document and open it. Now click on the “Examine Notes Certificate(s)” button and you will get the expiration date after which your ID Vault will no longer work.

The situation becomes quite tricky because there is no recertification procedure like we do for user IDs. To tell the truth, the solution is easy to implement, but not easy to find. It was provided by HCL and proved to be working fine.

First, you need to be sure to have a copy of the certifier ID used to thust the Vault, and of course its password.

Then, in Domino Administrator, connect to the Admin Server of your Domino Directory, select “Configuration” and click “Security\Certificates\Certificates”.

Select the “Password Reset Certificates” and “Vault Trust Certificates” documents, next DELETE THEM (make a backup, just in case…).

Next, move down do “Security\ID Vaults”, select the ID Vault document and in the Tools navigator select “ID Vaults\Manage”.

Here you need to select two options, “Add or remove organizations that trust the certificate” and  “Add or remove password reset authorities”.

What you need to do is add a new Trust Certificate for the same organization you just removed, and Password Reset Authorities as well.

At the end of the process, you’ll have a brand new Trust Certificate ready to work for another ten years.