Public Key Infrastructure
To configure the Domain PKI settings, use the WebAdmin Interface to open the Domain Settings page for the target Domain, and click the Security link. The PKI page will appear:This option allows you to specify the PKI Mode for this Domain,
The Server-wide Test Certificate uses the Server Main Domain name as its Subject and Stalker Software, Inc. as the Issuer. The Test Certificate expires 30 days after the last Server restart time.
Note: depending on your server hardware platform, it can take up to several seconds to generate a 2048-bit Key.
Only after you assign a Private Key, the Certificate-related fields will appear on the Security page.
You can use any third-party program (such as OpenSSL) to generate a Private Key. You should instruct that program to output the Private Key in the PEM format (as shown below). Select "Custom" in the Size: menu and click the Generate Key button. A text field appears. Copy the PEM-encoded Key into that text field, and click the Generate Key button:
Note: Make sure that the key you import is not password-encrypted. Something like the following starting lines:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-CBC,90C96A721C4E4B0B GzLyio+Or3zXm1N7ILWlYDsR6cgPlzHomAxi6aeUthl4lSqBHaqMlh+/76I/6sNx .................indicate that the Private Key is encrypted and it cannot be imported into the Server.
If the Private Key is set correctly, and the Key can be used for public/private key cryptography, you will see the following panel:
If the Key Test field indicates an error, the imported Private Key cannot be used for public/private key cryptography.
Use the Remove button if you want to remove the entered Domain Private Key. Since the Domain Certificate can be used with one and only one Private Ke, it becomes useless when you delete the Private Key, so the existing Domain Certificate will be removed, too.
A Domain must have a Certificate to support PKI functions.
The Domain Certificate name (the Common Name part of the Certificate Subject field) should
match the domain name used by client applications.
If a CommuniGate Pro Domain has Domain Aliases, attempts to connect to the Server using a Domain Alias name will result in warning messages on the client workstations notifying users about the name mismatch. Since a Certificate can contain only one name, select the name (the real Domain name or one of the Domain Aliases) that your users will use in their client application settings. If your CommuniGate Pro Domain name is company.dom, and that domain name does not have a DNS A-record, but the Domain has an Alias mail.company.dom that has an A-record pointing to the CommuniGate Pro Server, your users will use the mail.company.dom name in their client settings and WebUser Interface URLs, so the Domain Certificate should be issued for the mail.company.dom name rather than the company.dom name.
You may also use "wildcard" domain names for your certificates. If the Domain name has at least 2 components, the Common Name menu will contain a "wildcard" domain name: the name of the Domain with the first component substituted with the asterisk (*) symbol. If the Domain name has only 2 components, the asterisk component is added to form a 3-component name.
To create a Certificate, fill the fields in the Certificate Attributes table:
All other fields are optional.
You can create a Self-Signed Certificate if you do not want to use any external
Click the Generate Self-Signed button and the CommuniGate Pro Server creates a Self-Signed certificate for you: the Issuer will be same entity you have specified, and the entire Certificate will be signed using the Domain Private Key. When a Domain has a Self-Signed Certificate, client applications will warn users that the addressed server has presented a certificate "issued by an unknown authority". Users can "install" self-signed certificates to avoid these warnings.
You can Click the Generate Self-Signed button when a Self-Signed Certificate is already assigned. In this case the Server creates a new Self-Signed Certificate with the same serial number, but with new validity period.
To receive a Certificate from an external source ("trusted authority"), click the Generate Signing Request button. A text field containing the PEM-encoded CSR (Certificate Signing Request) will appear:
Copy the CSR text and submit it to the Certification Authority (CA) of your choice. You can submit via E-mail or using a Web form on the CA site. The Certification Authority should send you back the signed Certificate in the PEM-format. Enter that Certificate into the bottom field and click the Set Certificate button.
If the Certificate is accepted, the Certificate information is displayed:The Certificate panel shows the Certificate Issuer (the Certificate Authority), the Certificate Subject (the data you have entered and the selected domain name), the Certificate serial number and the validity period of this Certificate.
Note: the entered Private Key and Certificate will be used for the Domain secure communications ONLY if the Secure Certificate To Use option is set to Yes.
Note: the Certificate contains the Domain name or a Domain Alias as a part of
the "Subject" data.
When you rename the CommuniGate Pro Domain, the domain name in the Domain Certificate does not change, and the client applications may start to warn users about the name mismatch.
Click the Remove Certificate button to remove the Domain Certificate.
When you receive a Certificate from a Certificate Authority that is not listed as a "trusted authority" in the client software settings, that intermediate Certificate Authority (CA) should also give you its own Certificate signed with a "trusted authority". That Certificate should be in the same PEM format as your Domain Certificate:
The CA Chain may include several certifcates: the first one certifies the issuer of the Domain Certificate you have entered, but it itself may be issued by some intermediate authority. The next Certiciate certifies that intermediate authority, etc. The last Certificate in the chain should be issued by some authority "known" to client software - usually, some Root Authority.
If your CA Chain contains several separate PEM-encoded Certificates, enter all of them into the Certificate Authority Chain field. The Certificate issued by a Root Authority should be the last one in the list.
Click the Set CA Chain button to assign the Certificate Authority Chain to the Domian. If all Certificates in the Chain are decoded successfully and their format is correct, the CA Chain list is displayed:
Note: CommuniGate Pro checks only the format of each Certificate in the Chain. It does not check that each Certificate really certifies the issuer of the previous Certificate and that the last certificate in the Chain is issued by a Root Authority.
When set, the Certificate Authority Chain is sent to clients together with the Domain Certificate.
Click the Remove CA Chain button to remove the Certificate Authority Chain from the Domain Security Settings.
Your users can "install" your Domain Certificates into their Trusted Authorities lists. Once installed, the Certificate becomes a "trusted" one. For some programs (such as Mac versions of Microsoft Outlook and Outlook Express) installing an "untrusted" Certificate is the only way to use that Certificate for secure communications.
To install a Domain Certificate, the user should use a browser application and open the login page of the WebUser Interface for the selected Domain. If the Domain has an enabled Certificate, the Secure Certificate link appears. The user should click on that link to download the Domain Certificate and "open" it. The browser should allow the user to verify the Certificate and to install it into the list of Trusted Authorities.
A Certificate is considered valid if:
There are several sets of the Trusted Certificates:
When a PKI operation is peformed for a certain Domain (or for a certain Account in that Domain), the following Trusted Certificates are checked:
When a PKI operation is peformed for the System itself (for example, an outgoing TLS connection is being estanlished), the following Trusted Certificates are checked:
To update the set of Server-wide and Cluster-wide Trusted Certificates, open the Domains section
of the WebAdmin Interface and follow the Security link.
To update the set of the Domain-wide Trusted Certificates, use the WebAdmin Interface to open the Domain Settings page of the target Domain, open the Domain Security pages and follow the Trusted link.
The Trusted Certificates page will open:
Trusted Certificates included into the displayed set have a checkbox marker. To remove certain Trusted Certificates, select its checkbox and click the Remove Marked button.
In addition to the certificates from the displayed set, the Domain-wide pages display
the built-in Trusted Certificates, and the Trusted Certificates from
the Server-wide set (or from the Cluster-wide set for Shared Domains).
The Server-wide and Cluster-wide Trusted Certificates pages display the the built-in Trusted Certificates.
These additional certificates do not have checkbox markers.
To add a Certificate to the set, enter the PEM-encoded Certificate data into the text field and click the Add Certificate button. The new Certificate should appear in the displayed set.
The CommuniGate Pro Server supports SSL/TLS connections for all its TCP-based services and modules. Secure connections can be established in two ways:
Certificates for SSL/TLS communications can be assigned only to the CommuniGate Pro Domains that have at least one assigned network (IP) address. This limitation comes from the design of the TLS protocols used today: when a client application wants to initiate a secure connection, the Server has no information about the Domain the client wants to connect to. The Server knows only to which local IP address the client has connected, so it opens the Domain this IP address is assigned to, and uses the PKI Settings of that Domain.
To specify the Server-wide SSL/TLS processing parameters, open the Obscure page in the Settings section of the WebAdmin Interface:
Use the WebAdmin Interface to open the Domain Settings page for the target Domain, and click the Security link. The PKI page will appear:
To use end-to-end S/MIME security, individual users should have their own PKI keys. Each user should have a Private Key securely stored in a storage available to that user only, and a matching Public Key embedded into a Certificate. This Certificate should be issued by a Certificate Authority that other users trust.
CommuniGate Pro WebUser Interface supports S/MIME functions. It offers a secure storage for user Private Key. If a desktop client application is used instead of the WebUser Interface, the user Private Key should be stored in the PKI storage of the desktop operating system. The WebUser Interface can export and import Private Keys, so the user can use the same Private Key for desktop applications and for the WebUser Interface. See the Secure Mail section for more details.
A CommuniGate Domain can act as a Certificate Authority for all its Accounts if:
To specify Domain S/MIME settings, use the WebAdmin Interface to open the Domain Settings pages. Open the Security page and click the S/MIME link. If the Domain has a valid Private Key, a page similar to those for the generic Domain Certificate are displayed. These fields can be used to enter a special S/MIME certificate for the Domain. This Certificate is used as the Issuer (Certificate Authority) for all S/MIME Certificates requested by users in this Domain.
If the special S/MIME Certificate is not specified, then the generic Domain Certificate is used as the Issuer Certificate.
The Store Encrypted Rule action is used to encrypt incoming E-mail messages and store them in the specified mailbox.
Messages are encrypted using the S/MIME Certificate of the mailbox owner. If the Store Encrypted Rule action is used in an Account-Level (i.e. in an Account or in a Domain-wide) Rule, and the specified mailbox does not belong to the user Account, the message is encrypted using the Certificates of the mailbox owner and the current Account.