Please enable JavaScript to view this site.

Bundesdruckerei D-Trust-specific sections in MPKI

 

If necessary, information on Managed PKI of Bundesdruckerei D-Trust can be obtained from the website (www.bundesdruckerei.de).

 

Here, the connection to the Bundesdruckerei D-Trust CA is configured for automatically obtaining user certificates.

 

empty

anchor link Note:

With the successful creation of a certificate via MPKI, all necessary CA certificates are transmitted by D-Trust and imported.

 

Sections on this page:

Default parameters

Domain specific parameters

Certificate

Settings

 

 

anchor link Section Default parameters

 

Depending on the contract, the necessary settings have to be made here. As a rule, these are made available by Bundesdruckerei upon the conclusion of the contract between the email domain owner and Bundesdruckerei.

 

Parameters

Description

anchor link Service URL

Specifies the URL that is to be accessed via the MPKI. As a rule, the URL is

https://csm.d-trust.net/httpcmp/request

anchor link Product

Indication of the booked product.

Generally, these are

BASIC_ENTERPRISE_ID

ADVANCED_ENTERPRISE_ID

Additionally, TEAM ID products are offered, which are intended for organisations/group inboxes but not for individual persons.

Alternatively, _1, _2, ... to _5 can be added to the above-mentioned product name. This stipulates the validity period of the certificates requested via MPKI with the corresponding number in years. If necessary, however, this function is to be activated in the D-Trust web portal.

anchor link Static subject part

This part appears in the certificate of the respective user in addition to the email address E as an extension of the field Applicant. "Applicant".

Here, the entry O = [Organisation] is mandatory and must comply with the entry made in the D-Trust web portal.
 

empty

anchor link Attention:

Even slight deviations mean that certificates cannot be issued.

In particular, special characters can be problematic since they may be interpreted incorrectly when copying or entered incorrectly in the event of a manual input (e.g. different apostrophes: ´, `, ')

When copying the corresponding entries, care must also be taken not to accidentally copy a space at the beginning or end of the entry.

 

 

anchor link Section Domain specific parameters (optional)

 

If the SEPPmail Secure E-Mail Gateway manages several email domains (Managed Domains), this option can be used to specify specific parameters for creating user certificates for each domain.

After saving the domain specific option via Save entries, another input field appears in each case.

 

Parameters

Description

anchor link Domain

Specifies the email domain or a special email address for which the following two parameters should be valid.

 

empty

anchor link Attention:

The domain used here must be selected under Connectors MPKI managed domains in order to obtain certificates.

anchor link Product

Specification of the product, which may differ from the default parameter.

anchor link Static subject part

Specification of the product Default parameters Static subject part.
 

empty

anchor link Attention:

Even slight deviations mean that certificates cannot be issued.

In particular, special characters can be problematic since they may be interpreted incorrectly when copying or entered incorrectly in the event of a manual input (e.g. different apostrophes: ´, `, ')

When copying the corresponding entries, care must also be taken not to accidentally copy a space at the beginning or end of the entry.

 

 

anchor link Section Certificate

 

Used for authentication vis-à-vis the certification authority provider (Bundesdruckerei D-Trust).

 

Parameters

Description

anchor link PKCS12 identity file

Certificate for authentication vis-à-vis the certification authority (Bundesdruckerei D-Trust).

This file is provided by Bundesdruckerei D-Trust and is provided with a password (see parameter PKCS12 password)

If the access to the certification authority is successful, the following message appears at this point:

an operator certificate with valid password has been found.

 

empty

anchor link Note:

As of 30 days before the operator certificate expires, a message is added to the Daily Report (see also Groups admin and statisticsadmin), and the status of the Daily Reports is changed to IMPORTANT.

anchor link PKCS12 password

Password to activate the "private keys" contained in the PKCS12 identity file.

This is also provided by Bundesdruckerei D-Trust.

 

 

anchor link Section Settings

 

Settings for the automatic renewal of certificates.

 

empty

anchor link Note:

The validity period of the certificates of the individual users can be found in the file user-stats.csv which comes with the Daily Report (see also Groups statisticsadmin).

This is especially helpful if no automatic renewal of certificates has been set.

 

Parameters

Description

anchor link CheckBoxInactive Automatically renew expiring certificates if validity days left less than

This option is inactive by default and pre-set to 30.

Initiates the automatic renewal of certificates of active users (Users) if the remaining validity period is the set value. One pre-condition in this respect is that the corresponding user sends an email within the set overlap time. This prevents certificates from being obtained for "corpses" in the Users menu, including certificates subject to a fee, if applicable. The thus initiated process runs overnight (!).

 

empty

anchor link Note:

If the MPKI is activated retrospectively, existing, manually imported certificates are also taken into account. The certificate of the user with the longest validity period (expires on) is decisive for the renewal via MPKI.

Certificates of the internal certification authority as well as revoked or expired certificates are not taken into account.

 

empty

anchor link Note:

The greater the overlap in the certificate validity, the greater the chance that the communication partner will come into possession of a valid public key, which they need for sending encrypted emails.

anchor link CheckBoxInactive Automatically create certificates for active users without certificates

By default, this option is inactive.

This function obtains a certificate for all existing active Users, who are not in possession of a valid (!) certificate, automatically overnight (!).

 

Active Users are users who have sent an email in the last 30 days and do not have the State inactive.

 

empty

anchor link Attention:

Only works if the following option is active at the same time: Automatically renew expiring certificates if validity days left less than

anchor link Chain certificates (needed to sign emails)

By clicking on Add or update..., the intermediate certificates under X.509 Root Certificates required for supplementing the certificate chain when signing are added/updated.

 

empty

anchor link Note:

This action is mandatory after completion of the MPKI configuration!

 

The changes made are saved via the Save button.

 
  

Keyboard Navigation

F7 for caret browsing
Hold ALT and press letter

This Info: ALT+q
Topic Header: ALT+t
Topic Body: ALT+b
Contents: ALT+c
Search: ALT+s
Exit Menu/Up: ESC