X.509 Root Certificates

This menu is used to manage the position of trust for the individual certification authorities (CA).

Sections on this page:

•Root certificate with verification errors

Introduction

During installation, the root CA certificates of the usual accredited CAs are already pre-installed (see also Trust state set by) similar to internet browsers, for example. If necessary, this existing list can be compared with any existing revision specifications and, under certain circumstances, the trust of undesirable CAs can be withdrawn. This means that SEPPmail does not make any further changes here, not even for updates, for example. This prevents undesired manipulation of the safety concept of the respective operator.

From installation onwards, the system grows dynamically at this point. If the SEPPmail Secure E-Mail Gateway receives signed emails whose signature certificates originate from unknown certification authorities, root and intermediate certificates from these signatures are collected if necessary and saved with the status "?" (unknown). In this event, members of Groups x509rootcertificatesadmin will receive an email notification with the subject "IMPORTANT: SEPPmail new CA certificates added on ...". This information is also included in the Daily Report, which thus has the status "IMPORTANT:" and is therefore also sent to the members of the Groups admins and the Postmaster address.

Subsequently, an administrator should classify these certificates with regard to their trustworthiness.

The Import S/MIME root certificate... button opens the IMPORT X.509 ROOT CERTIFICATE(S) submenu for the import of individual or several (bulk) certificates of communication partners.

The Advanced settings... button opens the ADVANCED SETTINGS. This can be used to set how X.509 root certificates are to be handled.

Section Filter

The input field with the Filter... button is used for searching for corresponding keys based on the characteristics indicated in the table. The search term is entered as a character string.

Section Root certificate

The root and intermediate certificates are displayed as follows:

Column

Description

Trust state

Shows the trust status. Possible statuses are

Possible states Status	Description
trusted	trustworthy
UNTRUSTED	not trustworthy
?	unknown
implicit	Intermediate certificate which was extracted from a valid email signature and imported. Intermediate certificates with the status "implicit" are trusted without manual intervention unless the related root certificate is no longer trusted.
ORPHANED	Intermediate certificate whose associated root certificate is missing. Due to the missing root certificate, these certificates cannot be trusted even if the status is set to "trusted" (see CERTIFICATE DETAILS). In this case, the displayed status would change from ORPHANED to "trusted" immediately after importing and trusting the corresponding root certificate.

If the status is unknown ("?"), the administrator must intervene. The administrator must decide whether the certification authority should be trusted or not. If certificates with the status "?" are present, these are reported to the CA administrators (see Groups caadmin) and – as part of the Daily Report, which then receives the status "IMPORTANT:" – to the machine administrators (see Groups admin) on appearance.

By clicking on the trust status of the certificate, details can be viewed and the trust status can be changed (see submenu CERTIFICATE DETAILS).

empty

Note:

Certificates from signatures whose issuing certification authority is trusted are automatically collected (see X.509 Certificates) and are thus ready for encryption.

empty

Note:

(changed in 12.1)

If the status of a certificate is changed to "trusted", this status is inherited downwards in the tree structure by all associated intermediate certificates up to the first certificate, which may have the status "untrusted".

When changing the status to "untrusted", all certificates downwards in the tree structure change to "untrusted", regardless of their previous status.

A certificate that appears in the tree structure below another certificate with the status "untrusted" can never be changed to the status "trusted".

Subject

Specifies the name (CN) of the applicant

Trust state set by

(new in 12.1)

Displays who issued the certificate.

Issuer	Description
Factory (trusted by SEPPmail factory default settings)	Supplied In the delivery state of the SEPPmail Secure E-Mail Gateway certificates.
Automatic (auto-trusted by RuleEngine)	Certificates which can be trusted by means of the option Automatically trust new root certificates.
Manual (Administrator through Admin-GUI)	Certificates for which trust has been manually granted or withdrawn via the administration interface.
none	Certificates with undefined trust state (Trust state "?")

Issued on

Issue date of the certificate in the form YYYY-MM-DD

Expires on

Expiration date of the certificate in the form YYYY-MM-DD

Fingerprint

Displays the fingerprint (hash) of the certificate.

Type

Specifies the hash of the certificate.

For example RSA-MD5, RSA-SHA1, RSA-SHA256,...

Validity

Specifies the validity of the certificate. Possible statuses are

•"none", which means "OK".

•REVOKED

•EXPIRED

OCSP/CRL check

Result of the OCSP/CRL check. Possible statuses are

•OK

•?

•uncheckable

•uncheckable (no supported CRL/OCSP mechanism)

•revoked

Section Root certificate with verification errors

(new in 12.1)

The root and intermediate certificates are displayed as follows:

Column	Description
Trust state	see Root certificate Trust state
Subject	see Root certificate Subject
Trust state set by	see Root certificate Trust state set by
Issued on	see Root certificate Issued on
Expires on	see Root certificate Expires on
Fingerprint	see Root certificate Fingerprint
Type	see Root certificate Type
Validity	Shows the reason why a certificate is invalid
OCSP/CRL check	see Root certificate OCSP/CRL check

Please enable JavaScript to view this site.

Keyboard Navigation