Initial situation:  

Domain certificates should be made available for download for communication partners via the option Allow download of public domain keys/domain certificates in the GINA interface.

 

Question:

Why are the existing certificates no longer available for download since version 13.0.13?

 

Answer:

Via the option Create S/MIME domain keys for managed domain encryption and send public key to vendor pool (in Mail System or Add/edit managed domain), a domain certificate is issued even if the  SEPPmail Secure E-Mail Gateway internal CA has not been configured. The issuer of these certificates is then a "SEPPmail default CA". Such certificates are used exclusively for the SEPPmail Managed Domain Service.

 

If an attempt is made to use such a certificate for domain encryption for a third-party product, this can lead to problems.

 

For this reason, the SEPPmail Secure E-Mail Gateway internal CA should generally be configured for the use of domain encryption with third-party products before creating a (new) domain certificate (see also this note on domain encryption). Certificates from this CA are then also offered for download via GINA.

 

If the third-party manufacturer subjects the domain certificate to a certificate chain check, the root certificate of the internal CA is also required. This can also be offered for download via GINA (if necessary, see Publish local CA certificate on the search page to allow recipients to perform S/MIME signature verification).

 

Note:

If this behaviour occurs in existing systems with a large number of managed domains, it may make sense to issue new domain certificates via REST.

 

Example:

https://api.seppmail.com/#/crypto/crypto_domain_name_add

 

{
  "technology": "smime",
  "action": "generate",
  "generateData": {
    "type": "local",
    "isIME": false,
    "hin": false
  }
}  

 

Response body:

{
  "message": "add for key material for domain 'seppmail365.ch' successful"
}