Configure a Trust Center connection

You can allow an external Certificate Authority's Trust Center to automatically issue S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure email messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES. certificates. This will allow Secure Email Gateway to automatically request the Trust Center to issue user certificates whenever necessary for users within designated LDAP address lists. Certificates that are generated in this way do not need to be separately created and imported, and make it easier to request multiple certificates at once.

Trust Center restrictions

Secure Email Gateway only supports SwissSign.

In the recent past, its production server was changed from https://ra.swisssign.net/ws/cmc to https://cmc.swisssign.ch/ws/cmc. As a result, from version 5.6.0, Secure Email Gateway uses the new production server by default.

• New installation: the new production server will be used

• Upgrading: the existing production server (old server) will be changed to the new one

To be able to use the new production server in Secure Email Gateway , you may need to change your authentication settings. If you consider upgrading to version 5.6.0, we recommend that you consult our Technical Support first for advice.

Depending on the product type you have with SwissSign, such as "Mail ID Silver" and "Mail ID Gold", there may be restrictions on what can be configured and displayed. Below is a general reference when you use the new production server.

• Default country is the only mandatory field
• Other fields can be filled in, but they will be ignored

Field	Silver account	Gold account
Default Common Name	Leave empty	Leave empty
Default Company	Leave empty	Leave empty
Default Department	Leave empty	Leave empty
Default State	Leave empty	Leave empty
Default County	Select a country	Select a country

Due to the change stated above, this section is subject to change.

LDAP Attribute Mapping

LDAP address list configuration relies on attribute mapping to manage settings such as name and email address on generated certificates. When configuring the attribute fields, you will need to specify the name of the LDAP attribute that the field should reference. For example, you might enter an LDAP attribute of mail into the Email field, instead of manually entering an email address. The attribute you enter into the fields can be any of those configured in your LDAP server.

However, there are restrictions to LDAP attribute mapping, based on the SwissSign product type you have.

For a number of optional LDAP attribute mapping fields, you can choose to leave the fields blank and specify a default under Certificate Details instead. These defaults will be used for any certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. attributes for which the LDAP address list mapping returns an empty value. Refer to How do I...Configure certificate details? for more information.

How do I...

• Configure a Trust Center connection?

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.

  2. In the Trust Center Authentication panel, click Click here to change these settings.

  3. Specify the account and product name that will be used for communication with the Trust Center.

  4. Click Save.

  5. In the Trust Center Client Certificate panel, click Click here to change these settings.

  6. Select the certificate and private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. and specify a passphrase.

     These files must be PEM files.

     The private key provided by SwissSign is a P12 format but must be converted to a PEM format for use in Secure Email Gateway. To convert the key file format, run the following command: openssl pkcs12 -in my_key.p12 -out my_key.pem -nocerts -nodes where my_key.p12 is the path to the key provided by SwissSign, and my_key.pem is the output filename for the key to be uploaded into the Gateway. When prompted for a password, enter the password for the private key you are trying to convert.

  7. Click Save.

• Configure automatic certificate generation?

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.

  2. In the Automatic Certificate Generation panel, click Click here to change these settings.

  3. Click the Enable Automatic Certificate Generation check box and select the Gateway peer you want to generate certificates.

  4. Specify how many days before which an expiring certificate will be renewed.

     The default number of days before which an expiring certificate is renewed is 28, but you can enter any number of days between 0-365.

  5. Click Save.

• Configure a Trust Center to reference LDAP Address Lists?

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.
  2. In the LDAP Address Lists panel, click Add.

  3. In the Add LDAP Address List dialog, select an LDAP Address List from the drop-down menu.

     If you haven't yet created any LDAP Address Lists, you will need to do this before you can continue. You can click Email Addresses in the task panel to open the Manage Email Address Lists page where this is configured. See LDAP Synchronized Address Lists for more information.

  4. Specify an Email for LDAP attribute mapping.
  5. Optionally, specify the LDAP attributes for common name, company, department, state, and country.
  6. Click Add.
• Edit, copy, or enable LDAP Address List settings?

  To edit:

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.
  2. In the LDAP Address Lists panel, select the address list that you want to edit and click Edit.
  3. You can change any of the details in the Edit LDAP Address List dialog, including changing the address list used, but you must have a name and email specified to save your changes.
  4. Click Update.

  You can remove an address list from the Trust Center Configuration by selecting the address list in the table and clicking Remove. Alternatively, if you only want to disable an address list from Automatic Certificate Generation without removing it from the table, select the address list and click Disable.

  To copy:

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.

  2. In the LDAP Address Lists panel, select the address list that you want to copy and click Copy.

     A copy of the LDAP Address List is added to the table.

• Configure certificate details?

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.
  2. For the Certificate Details panel, click Click here to change these settings.
  3. Set the Validity Period from the drop-down menu.
  4. Set a Key Strength of 2048, 3072, or 4096.
  5. If you did not specify a company, department, state, or country in the LDAP Address List attribute mapping, or want to specify a default value as a fallback in case the attributes could not be retrieved, specify the defaults you want to use for these fields.
  6. Click Save.
• Test my Trust Center connection?

  1. Navigate to System > Encryption > Trust Center Configuration. The Trust Center Configuration page is displayed.

  2. In the task panel, click Test Trust Center Connection.

     If the Trust Center was configured correctly and can be authenticated, you will be notified that this connection is valid and can close the dialog. Otherwise, you will be notified that authentication could not be validated and you will need to reconfigure the connection and test it again until it is successful.

See also...

• View and enable signing certificates
• Generate S/MIME or PGP private key
• Mail Encryption Endpoints