The SEPPmail Secure E-Mail Gateway includes an entire certification authority. This can be configured as a self-signed CA or sub-CA.
Sections on this page:
Alternatively, trusted CA certificates can be obtained automatically via the Managed Public Key Infrastructure (MPKI) connectors.
|
The CA certificate of this menu item is machine-related and thus not synchronised in the Cluster. If necessary, a separate certificate must be used on each cluster partner or the same certificate must be imported. The Settings, on the other hand, are synchronised. |
|
The use of a self-signed CA is usually not recommended for signing emails, as the signatures cannot usually be verified automatically by the recipients. However, setting up the internal certification authority can be useful, as the specified attributes are also used for creating domain certificates (see Mail System Managed domain S/MIME domain encryption). |
If a certificate is already included, it is displayed as follows.
Otherwise, Request or create a certificate authority... can be used to create a certificate signing request (CSR) for a CA or sub-CA certificate and/or a self-signed CA certificate. However, using a self-signed CA certificate is only recommended for test systems, for the reasons given above.
|
When signing the CSR, make sure that the attributes •is a sub-CA •can issue server certificates •can issue client certificates are specified. |
Via Import existing certificate authority..., an existing CA or sub-CA certificate can be imported. The subsequently appearing sub menu has an identical structure to SSL .
|
If the CA is to work as a sub-CA, the sub-CA certificate including the certificate chain up to the root CA must be inserted here. Without a valid certificate chain, the issuing of certificates will fail. |
If the top of the status bar of the menu displays the information Remember to import the signed certificate, only the button Continue certificate signing request... is displayed. This button is used to continue or complete the obtainment of a certificate started by means of Request or create a certificate... via CSR.
With Sign Certificate Request, it is possible to sign externally generated CSRs with the internal CA. Clicking the button opens the submenu, in which the actual signature process can be performed.
This section displays information about the owner of the CA certificate.
Depending on the certificate, not all parameters listed here must be given.
Parameters |
Description |
|---|---|
Specifies the name of your own certification authority |
|
As a rule, the email address of the administrator of your own certification authority or their department is entered. |
|
Organisational unit, such as a department name, e.g. "Security" |
|
Specifies the organisation for which the certificate was issued, for example "Company" |
|
Location, for example a town like "Neuenhof" |
|
Federal state, canton, province or similar, for example "AR" for "Appenzell Ausserrhoden" |
|
Country, for example "CH" for "Switzerland" |
|
Serial number of the certificate |
These parameters are displayed as "Issuer" for certificates issued by the internal CA.
This section displays information about the issuer of the CA certificate (root certificate).
Depending on the issuer, not all parameters listed here have to be given.
Parameters |
Description |
|---|---|
Specifies the name of your own certification authority |
|
As a rule, the email address of the administrator of your own certification authority or their department is entered. |
|
Organisational unit, such as a department name, e.g. "Security" |
|
Specifies the organisation for which the certificate was issued, for example "Company" |
|
Location, for example a town like "Neuenhof" |
|
Federal state, canton, province or similar, for example "AR" for "Appenzell Ausserrhoden" |
|
Country, for example "CH" for "Switzerland" |
Specifies the validity of your own CA certificate.
Parameters |
Description |
|---|---|
Issue date of the certificate |
|
Expiration date of the certificate |
The fingerprint is the checksum (also hash or fingerprint) and is used to verify a certificate. At this point, the hash algorithm (for example MD5 SHA1 or SHA256) with which the checksum was formed as well as the calculated value are displayed. If several fingerprints of different algorithms are available, each one is output in a separate line.
Parameters |
Description |
|---|---|
Example of a SHA1 fingerprint: 48:2D:99:B1:64:C1:14:9C:B3:F2:C0:8D:FA:7F:40:9F:22:F5:11:F5 |
Section Certificate revocation list
abbreviated CRL. If the internal certification authority has been configured, it keeps a revocation list for the certificates issued by it. If a private key has been compromised, it can be declared invalid (revoked) in the user configuration (see Users S/MIME) which will then make it appear in the revocation list. This can be downloaded via the Create and download CRL button and thus queried.
In this section, the settings for the self-signed or sub-CA are entered.
The mentioned extension settings are the default settings when setting up a self-signed CA.
If a sub-CA is to be set up, the operator of the main CA usually specifies the corresponding values.
Parameters |
Description |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
By default, the static subject part shows the parameters for the corresponding country (here, the two-character ISO country identification is to be used), organisational unit and organisation, for example /C=GB/OU=Security/O=Company |
|||||||||||
By default, the value is set to 3650. Specifies the validity of the certificates issued in days.
|
|||||||||||
By default, the value is set to 30. Specifies the validity of the Certificate revocation list in days. |
|||||||||||
|
|
|||||||||||
|
|
This option is inactive by default and pre-set to 90. Initiates the automatic renewal of certificates of active users (Users) if the remaining validity period is the set value. One pre-condition in this respect is that the corresponding user sends an email within the set overlap time. This prevents certificates from being obtained for "dead bodies" in the Users menu. The thus initiated process runs overnight (!). Certificates of the internal certification authority as well as revoked or expired certificates are not taken into account.
|
|||||||||
|
|
By default, this option is inactive. This function obtains both S/MIME as well as OpenPGP keys for all existing active Users automatically overnight (!) unless corresponding valid (!) key material exists.
Active Users are users who have sent an email in the last 30 days and do not have the State inactive.
|
|||||||||
name: |
authorityKeyIdentifier |
value: |
keyid,issuer:always |
||||||||
Adds to the certificates issued by this certification authority the information about the issuing certification authority, given by the value (value:) |
keyid: subjectKeyIdentifier (see next option) issuer: IssuerName, serial number always: Returns an error message if copying the specified options fails |
||||||||||
name: |
subjectKeyIdentifier |
value: |
hash |
||||||||
Specifies the type of fingerprint of the issued certificate |
hash forms a hash value according to RFC 3280 hex: A predefined hex value is appended to the certificate (not recommended!) |
||||||||||
name: |
subjectAltName |
value: |
email:copy |
||||||||
Enables the inclusion of further alternative names in the issued certificate. |
email: Email address copy: automatically adds a copy of the email address from the "SubjectName". URI uniform resource indicator DNS: DNS domain name RID registered ID: OBJECT IDENTIFIER IP: IP address in v4 or v6 format dirName should point to a distinguished name (DN). Multiple inputs possible with + |
||||||||||
name: |
basicConstraints |
value: |
CA:FALSE |
||||||||
Indicates whether the certificate issued is a certificate authority certificate. |
CA Possible values are TRUE or FALSE pathlen optional for CA:TRUE: specifies the maximum number of CAs which |
||||||||||
name: |
nsComment |
value: |
OpenSSL Generated Certificate |
||||||||
Comment entry for the certificate |
Freely selectable comment |
||||||||||
name: |
nsCertType |
value: |
client, email |
||||||||
Specifies the type of certificate (Netscape) |
client, server, email, objsign, reserved, sslCA, emailCA, objCA |
||||||||||
name: |
keyUsage |
value: |
nonRepudiation, digitalSignature, keyEncipherment |
||||||||
Specifies the permitted use(s) for the certificate. |
digitalSignature: Digital signature nonRepudiation: detectability keyEncipherment: key encryption dataEncipherment: data encryption keyAgreement: key agreement keyCertSign: certificate signature cRLSign: revocation list signature encipherOnly encryption only decipherOnly decryption only |
||||||||||
(Extension setting) (to be added manually if necessary) |
name: |
crlDistributionPoints |
value: |
URI:https://<YourCA>/certs.crl |
|||||||
Adds the path to the certificate authority's revocation list distribution point to the certificate. |
URI Path to the revocation list. Multiple URLs are entered separated using commas. |
||||||||||
name: |
value: |
||||||||||
Further settings can be made at this point if required. After saving a further extension, another input line appears. |
|||||||||||
Via Download certificate the SSL certificate (i.e. only the public key) can be downloaded in the PEM format.
If in the Cluster the same certificate is used for all cluster members, it can be distributed via the button Transfer to cluster members button to all members.
This transfer only works between backends (see Cluster Cluster members).
