Currently, x.509 root certificates are not included in the JSON export.
For a migration, process as follows:
- Export each x.509 root certificate that should be migrated via the option Download Certificate of SEPPmail Secure E-Mail Gateway.
- For each certificate, please check and answer the checklist below (SEPPmail will need to verify your answers).
- Then submit these x.509 root certificates and their answers by opening a support ticket with support@seppmail.ch.
Root Certificate Evaluation Checklist
- Is the CA (Certificate Authority) well-known and reputable?
Only trust CAs with an established history of reliability and security. - Have you reviewed the official CPS/CP (Certificate Practice Statement/Certificate Policy)?
This document outlines the CA's practices and policies for issuing and managing certificates. - Are the signature algorithm and key length sufficiently strong?
Look for modern, robust algorithms (e.g., SHA-256 or higher) and adequate key lengths (e.g., RSA 2048-bit or higher, or secure ECC curves). - Is the certificate currently valid?
Verify that the "Not Before" and "Not After" dates encompass the present time. - Are the Basic Constraints correctly set (cA=TRUE)?
This is crucial; it confirms the certificate is a CA and can issue other certificates. - Are the Key Usage flags (keyCertSign, cRLSign) correctly set?
These flags indicate the certificate's permitted uses, specifically for signing other certificates and Certificate Revocation Lists. - Is there a valid CRL Distribution Point (CDP)?
A working CDP URL is essential for checking the revocation status of certificates issued by this CA. - Have you compared the fingerprint (hash) with the official source?
This is a vital step to ensure the certificate's integrity and authenticity, protecting against tampering. - Do you understand why you need to manually add this root certificate and the associated risks?
Manual trust should only be configured when necessary and with full awareness of the security implications.
