SwissSign

SwissSign-specific sections in MPKI

Sections on this page:

Introduction

Information on ordering and the modalities for setting up a SwissSign MPKI is available at www.swisssign.com/managed-pki/managed-pki-service.html.

The website for the administration of certificates by SwissSign can be reached under https://swisssign.net. The registration on this site is realised with the respective account data or the current operator certificate (see also Certificate). Here, a new operator certificate can be obtained once the old one has expired.

empty

Note:

Especially in the case of managed service providers (MSPs), differences in obtaining certificates are to be taken into account:

•WITHOUT organisation entry
Here, the MSP can simply add a customer email domain by "self-validation" for obtaining certificates. The certificates obtained in this version each contain the data in the attribute "Applicant" of the section Static subject part in the section Default parameters.

•WITH organisation entry or higher
the client receives its own organisation entry, which appears in the attribute "Applicant". The MSP makes this entry for the corresponding email domain(s) of the customer in the Domain specific parameters.
For this purpose, the customer must send a declaration of acceptance to SwissSign for organisational verification. After the verification has been completed, SwissSign will send the corresponding configuration data (Domain specific parameters) and the purchase of certificates is released accordingly.
For this process, a change order must be submitted to SwissSign (usually triggered by SEPPmail ). This process is subject to a charge unless a certain minimum order value of certificates is reached.

empty

Attention:

The input for domain validation is case sensitive!

At this point, the connection to the SwissSign CA is configured for the automated acquisition of user certificates.

Section Default parameters

Depending on the contract, the necessary settings have to be made here. As a rule, these are provided by SwissSign via a "Welcome Email".

empty

Note:

The SwissSign MPKI access must be converted to the new access by the end of May 2023 at the latest. To this end, all certificate managers were already informed by SwissSign in February 2023.

An update to version 12.2.18 of SEPPmail Secure E-Mail Gateway is required for the conversion!

The following descriptions already refer to firmware version 12.1.18 and the new SwissSign MPKI access.

If required, further information can also be found in the FAQ entry SwissSign - Changeover to New CA (May 2023).

empty

Attention:

Certificates that have been created with the old CA can - after switch to the new CA - only be revoked directly on the SwissSign web interface of the old CA.

Parameters

Description

Service URL

Specifies the URL that is to be accessed via the MPKI. This is specified by SwissSign and is usually

(changed in 12.1.18)

https://ra.swisssign.net/ws/cmc

https://cmc.swisssign.ch/ws/cmc?validity=1y

Static subject part

This part appears in the certificate of the respective user in addition to the email address "E" as an extension of the field "Applicant".

Depending on the certificate type selected, the value to be entered here is given statically by SwissSign

(changed in 12.1.18)

➢SwissSign Silver ID Certificates
empty

➢SwissSign Personal S/MIME E-Mail ID Silver
empty

and/or, for the attribute "OU=", configurable by the customer. Additionally, as CN, the display name "Name" (see Users) is displayed.

empty

Attention:

In case of Gold certificates for a functional mailbox like sales@company-maildomain.com, the CN name requires a leading "pseudo:".

Example: "pseudo: sales@company-maildomain.com"

➢SwissSign Gold ID Certificates

➢SwissSign Pro S/MIME E-Mail ID Gold
OU = [Organisation detail]/O=[Organisation]/C=[Country]
is specified by SwissSign and generally corresponds to the organisation name as it appears in the commercial register and thus in the SwissSign application. The two-character ISO country code must be used for the country name.
The following would then be entered in the applicant field of the certificate:

E = [email address]
CN = [name of certificate holder]
OU = [Organisation detail]
O = [Organisation]
ST = [State/Canton] (optional)
C= [Country]

empty

Attention:

Minor deviations already lead to certificates not being issued.

In particular, special characters can be problematic since they may be interpreted incorrectly when copying (e.g. different apostrophes: ´, `, ')

When copying the corresponding entries, care must also be taken not to accidentally copy a space at the beginning or end of the entry.

Static subject part

CheckBoxInactive Suppress "Unconsumed SDN" error

By default, this option is inactive.

With an individual configuration by SwissSign, it can be the case that parameters which have already been statically provided by SwissSign are provided in the Static subject part when trying to obtain a certificate. Usually, this results in the following error message when obtaining the certificate:

Unconsumed SDN (i.e.: SDN attributes not needed and not utilised; please remove them and resubmit your request): o=...

By activating this option, the obsolete parameters provided during the obtainment are ignored and, instead, the static inputs provided by SwissSign are used. Thus, the certificate can still be obtained without any problems.

empty

Note:

(new in 12.1.18)

For SwissSign Personal S/MIME E-Mail ID Silver it is recommended to activate this option.

Account name

Indication of the user name.

This is usually

(changed in 12.1.18)

•existing customers before April 2023

<company_shortcut>.ra

•new customers since April 2023

MPKI<7-digit number> - <organisation name>

and will be communicated by SwissSign.

Product name

Indication of the booked product.

(changed in 12.1.18)

This is usually

<company_shortcut>-product_type

for example:

<company_shortcut>-perso-silver-emailonly

<company_shortcut>-perso-gold

<company_shortcut>-perso-gold-auth

<company_shortcut>-perso-gold-rsassapss

Possible products are

➢SwissSign Personal S/MIME E-Mail ID Silver

➢SwissSign Pro S/MIME E-Mail ID Gold

Depending on the product booked, the corresponding name will also be provided by SwissSign.

Section Domain specific parameters (optional)

If the SEPPmail Secure E-Mail Gateway manages several email domains (Managed domains), this option can be used to define specific parameters for creating user certificates for each domain.

hint

Note:

For this to work, the accounts must be linked at SwissSign. Either directly when applying or subsequently by sending a case to mpki@swisssign.com, so that with an AUTO-RAO certificate the assignment to the other accounts is also made.

After saving the domain specific option via Save entries, another input field appears in each case.

Parameters

Description

Domain

Specifies the email domains for which the following two parameters should be valid.

Only domains which were also named when the application was submitted to the certification body, or which were later validated separately, may be entered.

empty

Attention:

The input for domain validation is case sensitive!

empty

Attention:

The domain entered here must be selected under Connectors MPKI managed domains in order to obtain certificates.

Account name

(new in 12.1.7)

Specification of the product Default parameters, which may differ from the Account name. This is provided by SwissSign with the access data.

Product name

Specification of the product Default parameters, which may differ from the Product name. This is provided by SwissSign with the access data.

empty

Note:

With the different Product names, different quality grades can also be obtained per Managed domain. The main difference is in the options for individualising the Static subject part and thus the applicant displayed in the certificate:

Certificate		Possible Static subject part
Personal
	Gold-ID	Email address, first and last name, organisation, country/state (additional parameters if applicable)
	Silver-ID	--

Static subject part

See section Default parameters Static subject part

empty

Attention:

Even slight deviations mean that certificates cannot be issued.

In particular, special characters can be problematic since they may be interpreted incorrectly when copying or entered incorrectly in the event of a manual input (e.g. different apostrophes: ´, `, ')

When copying the corresponding entries, care must also be taken not to accidentally copy a space at the beginning or end of the entry.

Section Certificate

Used for authentication vis-à-vis the certification authority provider (SwissSign).

Parameters

Description

PKCS12 identity file

Certificate for authentication vis-à-vis the certification authority (SwissSign).

This file is provided by SwissSign and is provided with a password (see parameter PKCS12 password).

If the access to the certification authority is successful, the following message appears at this point:

an operator certificate with valid password has been found.

empty

Note:

As of 30 days before the operator certificate expires, a message is added to the Daily Report (see also Groups admin and statisticsadmin), and the status of the Daily Report is changed to IMPORTANT.

PKCS12 password

Password to activate the - contained in the PKCS12 identity file - "private keys".

This is also provided by SwissSign.

Section Settings

Settings for the automatic renewal of certificates.

empty

Note:

The validity period of the certificates of the individual users can be found in the file user-stats.csv which comes with the Daily Report (see also Groups statisticsadmin).

This is especially helpful if no automatic renewal of certificates has been set.

Parameters

Description

CheckBoxInactive Automatically renew expiring certificates if validity days left less than

This option is inactive by default and pre-set to 30.

Initiates the automatic renewal of certificates of active users (Users) if the remaining validity period is the set value. One pre-condition in this respect is that the corresponding user sends an email within the set overlap time. This prevents certificates from being obtained for "corpses" in the Users menu, including certificates subject to a fee, if applicable. The thus initiated process runs overnight (!).

empty

Note:

If the MPKI is activated retrospectively, existing, manually imported certificates are also taken into account. The certificate of the user with the longest validity period (expires on) is decisive for the renewal via MPKI.

Certificates of the internal certification authority as well as revoked or expired certificates are not taken into account.

empty

Note:

The greater the overlap in the certificate validity, the greater the chance that the communication partner will come into possession of a valid public key, which they need for sending encrypted emails.

CheckBoxInactive Automatically create certificates for active users without certificates

By default, this option is inactive.

This function obtains a certificate for all existing active Users, who are not in possession of a valid (!) certificate, automatically overnight (!).

Active Users are users who have sent an email in the last 30 days and do not have the State inactive.

empty

Attention:

Only works if the following option is active at the same time: Automatically renew expiring certificates if validity days left less than

Chain certificates (needed to sign emails)

By clicking on Add or update..., the intermediate certificates under X.509 Root Certificates required for supplementing the certificate chain when signing are added/updated.

empty

Note:

This action is mandatory after completion of the MPKI configuration!

The changes made are saved via the Save button.

Please enable JavaScript to view this site.

Keyboard Navigation