User Guide. MailMarshal Secure 5.5. August 2006

Transcription

1 User Guide MailMarshal Secure 5.5 August 2006

2 THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, MARSHAL LIMITED PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Marshal, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Marshal. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Marshal may make improvements in or changes to the software described in this document at any time Marshal Limited, all rights reserved. U.S. Government Restricted Rights: The software and the documentation are commercial computer software and documentation developed at private expense. Use, duplication, or disclosure by the U.S. Government is subject to the terms of the Marshal standard commercial license for the software, and where applicable, the restrictions set forth in the Rights in Technical Data and Computer Software clauses and any successor rules or regulations. Marshal, MailMarshal, the Marshal logo, WebMarshal, Security Reporting Center and Firewall Suite are trademarks or registered trademarks of Marshal Limited or its subsidiaries in the United Kingdom and other jurisdictions. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies.

3 Contents About This Book and the Library...vii Conventions...viii About Marshal...ix Chapter 1 Introducing MailMarshal Secure 1 What is S/MIME?...1 Encryption...2 Signing...2 How Does MailMarshal Secure Work?...2 Options for Using MailMarshal Secure...3 Online Help...3 Chapter 2 Configuration 5 Installing MailMarshal Secure...5 Configuring MailMarshal Secure...6 Server Properties: Secure Security Policies dialog...9 Server Properties: Internet Access...13 Setting Up S/MIME Features...15 S/MIME Repair Functions...15 Repair Certificates...15 Repair Certificate s...16 Repair Certificate Key Containers...16 Repair Private Keys...16 Contents iii

4 Chapter 3 Certificates 17 Working with Certificates Backing Up Certificates Creating a Certificate Folder Creating a New Certificate General Extensions Subject Names Certificate Usage/Finish Certificate Tasks Checking Imported Certificates Exporting Certificates Certificate Search Main Conditions Status Trust Search Options Certificate Properties General Usage Certificate Details Certification Path Proxy Certificates New Proxy Certificate Domain Address Chapter 4 Private Keys 37 Backing Up Keys iv User Guide

5 Private Keys Tasks...38 Export Private Key...38 Create Key...39 Private Key Properties...40 Private Key...40 Details...40 Chapter 5 Certificate Requests 41 Creating a Certificate Request...42 Extensions...44 Subject Names...45 Finish/Export...45 Chapter 6 Certificate Revocation Lists 47 CRL Properties...47 General...48 Parameters...48 Entries...49 Chapter 7 Secure Rules 51 Basic Secure Rules...51 Contents v

6 Rule Conditions-Secure Rules Where message is encrypted and cannot be decrypted Where message is encrypted and can be decrypted Where encryption certificate is invalid Where message is not encrypted Where message is signed and cannot be verified Where message is signed and can be verified Where message is not signed...56 Where message cannot be encrypted for any secure recipient: Rule Actions-Secure Rules Copy unknown certificates to database folder Sign message with certificate Encrypt message with certificate Do not decrypt message Advanced Secure Rules Multiple Gateway-to-Gateway Encryption Partners Gateway-to-Desktop Encryption Partners Index 65 vi User Guide

7 About This Book and the Library The User Guide provides conceptual information about MailMarshal SMTP. This book defines terminology and various related concepts. Intended Audience This book provides information for individuals responsible for understanding MailMarshal SMTP concepts and for individuals managing MailMarshal SMTP installations. Other Information in the Library The library provides the following information resources: User Guide Provides conceptual information and detailed planning and installation information about MailMarshal SMTP. This book also provides an overview of the MailMarshal SMTP user interfaces and the Help. MailMarshal Secure User Guide Provides detailed information about how to configure and use the S/MIME secure functionality in MailMarshal SMTP. Help Provides context-sensitive information and step-by-step guidance for common tasks, as well as definitions for each field on each window. About This Book and the Library vii

8 Conventions The library uses consistent conventions to help you identify items throughout the documentation. The following table summarizes these conventions. Convention Use Bold Window and menu items Technical terms, when introduced Italics Book and CD-ROM titles Variable names and values Emphasized words Fixed Font File and folder names Commands and code examples Text you must type Text (output) displayed in the command-line interface Brackets, such as [value] Optional parameters of a command Braces, such as {value} Required parameters of a command Logical OR, such as value1 value2 Exclusive parameters. Choose one parameter. viii User Guide

9 About Marshal With new threats disrupting business, productivity and wrecking reputations every day, Marshal content security solutions take a proactive approach to identifying and web vulnerabilities to protect over seven million international users in 17,000 companies from the risks of and Internet-based threats. Marshal Products Marshal's Content Security solution, which includes MailMarshal SMTP, MailMarshal Exchange and WebMarshal, delivers a complete and Web security solution to these risks by acting as a gateway between your organization and the Internet. The products sit behind your firewall but in front of your network systems to control outbound documents and their content. By providing anti-virus, anti-phishing and anti-spyware protection at the gateway, Marshal's Content Security solution offers you a strategic, flexible and scalable platform for policy-based filtering that protects your network, and as a result, your reputation. Contacting Marshal Please contact us with your questions and comments. We look forward to hearing from you. For support around the world, please contact your local partner. For a complete list of our partners, please see our website. If you cannot contact your partner, please contact our Technical Support team. Telephone: Sales Support: Website: +44 (0) (EMEA) (Americas) (Asia-Pacific) info@marshal.com About Marshal ix

10 x User Guide

11 Chapter 1 Introducing MailMarshal Secure MailMarshal Secure is an additional module of MailMarshal SMTP that implements the S/MIME (Secure MIME) standard for encryption and signing of messages using the Public Key Infrastructure. MailMarshal Secure can communicate securely with any other encryption product that uses the S/MIME standard; communication is not limited to MailMarshal sites. What is S/MIME? S/MIME is an industry standard method of protecting privacy using the Public Key Infrastructure (PKI). MailMarshal Secure interoperates with other S/MIME aware products, whether server-based or workstation-based. PKI begins with two digital Keys, known as the Public and Private Key. Public Keys are made freely available, while Private Keys are kept secret and secure. The Public Key can be contained in a digital certificate and distributed. A Certificate may be generated within MailMarshal, or issued by a trusted authority. The Keys are known as an asymmetric pair ; messages encrypted using the Public Key can be read with the Private Key. Public Certificates are maintained in a database such as MailMarshal's Certificate Database. A Certificate may be exported into a file which is made available to sites with which S/MIME will be exchanged. Chapter 1 Introducing MailMarshal Secure 1

12 PKI allows to be processed in two ways, known as Encryption and Signing. They are often used together-a message may be both encrypted and signed. Encryption Signing Encryption is the scrambling of a message so that it is illegible until decrypted. Typically sent to a site will be encrypted with the recipient's Public Key (which any sender may have); such messages can only be decrypted by the recipient using their Private Key. Signing involves processing a message using a Private Key, to generate a unique block of data known as the signature. The sender signs a message using her Private Key. This signature is sent with the original message. The recipient can verify that the message is unchanged and that it originated from the sender, by testing it using the sender's Public Key. How Does MailMarshal Secure Work? MailMarshal Secure allows the administrator to set and enforce policies for the encryption, decryption, signing, and verification of S/MIME messages. Within Server Properties, basic policies governing allowable standards of security are set. The policies are applied to messages using an additional type of Rules, known as Secure Rules. These Rules are created and applied in the same way as standard MailMarshal SMTP Rules. MailMarshal Secure is also used to create, harvest, and manipulate the digital certificates used for S/MIME . The security information may be stored in a software cryptographic provider (such as the one supplied by default with Windows 2000), or optionally in a third-party cryptographic accelerator such as those supplied by ncipher. 2 User Guide

13 Options for Using MailMarshal Secure MailMarshal Secure can be used to encrypt messages from gateway to gateway, desktop to desktop, or gateway to desktop. Brief explanations of these options are given below. Details of the MailMarshal Rules required to implement these options may be found elsewhere in this Manual. 1. Gateway to Gateway: All encryption and decryption of messages is completed at the server. Internal networks are trusted for security purposes. This mode is easy to set up and run, because all setup and maintenance is done at the server. Users simply send and receive . MailMarshal can stamp incoming encrypted messages as valid, and can also perform content checks on the messages. The basic rules given in Chapter 7, Secure Rules, support this method. 2. Desktop to Desktop: Encryption and decryption takes place at the client (such as Microsoft Outlook). In this case, MailMarshal can still perform content checks if the messages are also encrypted with a certificate for which MailMarshal holds the private key. Messages for which MailMarshal does not hold the key may be passed through unscanned, or rejected, according to local policy. 3. Gateway to Desktop: MailMarshal can sign outbound messages with a proxy certificate so that the receiving client recognizes the message as validly signed from the sending address. MailMarshal must hold public keys for all external addresses to which messages are to be encrypted. This option is used where MailMarshal performs gateway encryption, but the remote recipient uses desktop encryption software. Example rules to support this method are given in Chapter 7, Secure Rules. Online Help MailMarshal provides online help for assistance during installation and use of the software. Help is accessed through the Help menu or by pressing the [F1] key. Extended up-to-the-minute support is available on the Marshal website. The website at features news, a support Knowledge Base, Discussion Forum, and maintenance upgrades. Chapter 1 Introducing MailMarshal Secure 3

14 4 User Guide

15 Chapter 2 Configuration Installing MailMarshal Secure MailMarshal Secure is available on the MailMarshal CD-Rom or in the downloadable MailMarshal SMTP installation file. The product requires an S/MIME enabled License Key, available from Marshal. MailMarshal Secure requires Windows 2000, Windows XP Professional, or Windows Server 2003, and MSDE or a Microsoft SQL server to host the Public Certificate Database. To install the MailMarshal Secure module, run the MailMarshal installer from the Windows Control Panel. If MailMarshal is already installed, on the Welcome page select Modify. On the Select Setup Type page, choose to install MailMarshal S/MIME Server. (For additional details of the installation process, please see the chapter Installation in the MailMarshal SMTP User Guide.) Chapter 2 Configuration 5

16 After installation, open the License Info tab of Server Properties and enter the S/MIME enabled License Key. Notes It is very strongly recommended, for speed, security, and availability reasons, that the Certificate Database be installed on the MailMarshal Server computer. In some cases (for instance, a cluster installation) the Certificate Database can be created on a different server. We recommend a 128 Bit Encryption version of the operating system. Some early international releases of Windows 2000 were only 40 bit. To check the encryption level of a machine, within Internet Explorer click on Help > About. The 'Cipher Strength' value shows the encryption level of the machine. Configuring MailMarshal Secure Once the S/MIME module is installed and licensed, two tabs of Server Properties are used to configure this module: Secure and Internet Access. 6 User Guide

17 Server Properties: Secure On this tab, check the box Enable Secure to enable MailMarshal Secure.. Certificate Database Click the button Choose Database to connect to a Certificate Database. In the Create/Select Database dialog, enter the location of the SQL Server or MSDE computer where the database will reside. It is very strongly recommended for speed, security, and availability reasons that this be the MailMarshal server. The database will not grow large. If a database exists in the location selected, check recreate database to delete it. Chapter 2 Configuration 7

18 Click OK to return to the Secure tab. Cryptographic Service Provider Select a provider from the list. The Cryptographic Service Provider is the software or hardware used to store and manipulate Private Keys. Note Changing Cryptographic Service Providers may cause Keys stored in the old Provider to be lost. This will occur if changing between software and hardware Providers, or if changing from a higher to a lower level of encryption. When changing Providers, you should be prepared to restore all Keys from backup (though this will not typically be necessary). Default Key Exchange Algorithm Select an algorithm from the list. This setting defines the level of encryption used when appending a key to an message. The available choices may vary depending on the Cryptographic Service Provider selected. Higher encryption levels are more secure but will require additional processing resources. Default Encryption Algorithm Select an algorithm from the list. This setting defines the default level of encryption that will be used when Secure Rules are created. Select the highest level compatible with the software at other locations with which encrypted is exchanged. The available choices may vary depending on the Cryptographic Service Provider selected. Default Hashing Algorithm Select an algorithm from the list. This setting defines the default hashing or thumbprint that will be used for signing by Secure Rules. SHA-1 is preferred but other settings may be used where necessary for compatibility with remote locations. 8 User Guide

19 Security & Certificate Policies Select a security level using the radio buttons. Alternatively, click Policies to view and change the options in force using the Security Policies dialog. Note The Strict option selects a restrictive set of security policies, which would typically be used by a site requiring all to be encrypted and signed with Certificates guaranteed by a third-party Certificate Authority. The Moderate option selects a looser set of policies, which would typically be used by a site using self-signed Certificates to encrypt and sign for exchange with known and trusted partners. Custom allows a locally created set of policies to be created; however selecting the Strict or Moderate button resets any customizations. Security Policies dialog This dialog allows selection of several settings governing the creation and application of Secure Rules. Chapter 2 Configuration 9

20 The dialog has three tabs: General Permit generation of certificates: When this option is checked, MailMarshal can create self-signed Certificates and also create proxy individual certificates on the fly. De-selecting (unchecking) this option is the more secure choice. Permit exportable private keys: Private Keys created when this option is checked can be exported to other products or locations. De-selecting (unchecking) this option is the more secure choice. Allow manual editing of addresses: When this option is checked, addresses associated with Certificates can be added, changed, and deleted. (Addresses which form part of the original Certificate cannot be edited.) De-selecting (unchecking) this option is the more secure choice. Continue to use Certificate Revocation Lists: This option is used to provide a default grace period for technical delays in retrieving CRL updates. Enter the grace period. A Certificate will still be usable during the grace period after the replacement time of the CRL. This setting may be overridden in the properties of each CRL (See below). Algorithms Note If keys are marked non-exportable, they cannot be backed up routinely. MailMarshal Secure offers the option to back up non-exportable keys once, when they are created. This tab allows selection of the order of preference in which algorithms will be used or exposed for each function (key exchange, encryption, and hashing). In general, the stronger (higher bit count) algorithms are preferred as more secure, but also require additional processing time and may raise compatibility issues. The selections made here affect the options available during Secure Rule creation. 10 User Guide

21 For each algorithm type, select a specific algorithm and use the up and down arrows to set its place in the list. Click Delete to remove it from the list of usable algorithms. Click Add to add any algorithm available from the selected Cryptographic Service Provider to the list. (Set the default choice for each algorithm using the drop-down boxes on the Secure tab of Server Properties.) Processing Expose algorithm capabilities on outbound When this option is selected, MailMarshal will encode information on the algorithms it can use within outbound secure messages. A remote server could use this information to determine the most secure settings to be used on mail between the two servers (See Below). Mail administrator when private key certificates are due to expire: When this option is selected, MailMarshal will monitor the upcoming expiry of Certificates and send warnings to the administrator. Select the number of days prior to expiry when these warnings should start. Chapter 2 Configuration 11

22 Retrieve new certificates from a designated LDAP servers when certificates are due to expire: When this option is selected, MailMarshal will attempt to retrieve updated public-key Certificates to replace ones which are nearing expiry. Select the number of days prior to expiry when these attempts should start. To configure groups for which automatic retrieval will occur, use the final page of the Certificate server LDAP connection wizard. See the chapter LDAP Connections in the MailMarshal SMTP User Guide. 12 User Guide

23 Server Properties: Internet Access This tab of Server Properties is used to define the path for HTTP and FTP connection to the Internet. This connection is used by MailMarshal Secure to retrieve certificate revocation and renewal information. Select the configuration method using the radio buttons: Chapter 2 Configuration 13

24 Preset Configuration MailMarshal uses the configuration settings for the account under which the MailMarshal Controller service is running. Note By default the Controller service runs under the Local System account. For this selection to be useful the Controller should be run using another account with administrator privilege. Direct access No special configuration is required; the Internet is available from this computer without a proxy. Proxy MailMarshal connects to the Internet using the proxy server details provided. Only Basic Authentication is supported. Proxy Name: The name of the proxy server computer. This may be a local computer name, fully qualified domain name, or IP address. Port: The port number on which the proxy server accepts requests (typically port 8080). User Name: The user name may include NT domain information in backslash format (e.g. ourcompany\username). Password: The password associated with the user name (entered twice for confirmation). 14 User Guide

25 Setting Up S/MIME Features In addition to the configuration options selected in Server Properties, preparing MailMarshal Secure's S/MIME features for use involves three steps: 1. Create or import a Domain Certificate (also known as a Server Certificate) for each local domain that will use signing and/or encryption. The same certificate may be used to process for several domains using Gateway-to-Gateway encryption. See Chapter 3, Certificates. 2. Exchange certificates with other sites. Since messages will typically be encrypted and signed in both directions between two or more organizations, each must have the appropriate information to encrypt for, and validate signatures from, the other. See Chapter 3, Certificates. 3. Configure Secure Rules. A basic set of Secure Rules is required to ensure the security of encrypted links with other sites. See Chapter 7, Secure Rules. S/MIME Repair Functions The following functions are available on the All Tasks submenu of the Secure node of the Configurator. No harm can come from selecting any of these actions, although they may take some time to complete if a large number of Certificates are present. Note See Chapter 3, Certificates, and Chapter 4, Private Keys, for more information on these elements. Repair Certificates This action checks the certificate information in MailMarshal's Certificate database against the information in the Certificates (which are stored in the selected Cryptographic Provider). The database is corrected if necessary. Chapter 2 Configuration 15

26 Repair Certificate s This action checks the addresses for each certificate in MailMarshal's Certificate database against the addresses coded in the actual Certificates. The original values are restored. Repair Certificate Key Containers This action ensures that the Key references in MailMarshal's Certificate Database point to the correct Key containers in the Cryptographic Provider. This action may be useful where problems are encountered due to a change in Provider. Repair Private Keys This action checks the Private Key information for each Certificate in MailMarshal's Certificate database against the information in the Cryptographic Provider. This action may be useful where Private Keys may have been changed or imported into the Provider by other applications. 16 User Guide

27 Chapter 3 Certificates Certificates are used to store and exchange Public and Private Keys. Typically certificates containing Private Keys are generated locally or requested from a, then stored securely. They are generally only exported for backup purposes. These Certificates contain the information needed to decrypt , or to sign from a site. Certificates containing Public Keys may be imported from other sites, or exported from MailMarshal for use on other sites. These Certificates contain the information needed to encrypt for sending to a site, or to validate the signature on from a site. Working with Certificates Select the node Certificates in the left pane of the Configurator to work with S/MIME Security Certificates. When the node is selected, a listing of Certificate folders is shown in the right pane. Open any folder to see the available S/MIME Certificates it contains. Chapter 3 Certificates 17

28 A certificate is shown with a lock icon if it has an associated Private Key. A certificate shown with a red border indicates that the Private Key cannot be found or is invalid. Note When a folder has the status Held, certificates in that folder will not be used for encryption. This allows for importation and storage of certificates which have not yet been verified manually. Once approved for use, Certificates should be moved to other folders. Right-click on the Certificates node and click New > Folder to create a new Certificate Folder. Right-click on the Certificates node or a Certificate Folder and click New > Certificate to create a new Certificate (if this action is permitted by the Security Policies). Choose New > Advanced Certificate to see the full range of options. See Creating a New Certificate, below, for details. Backing Up Certificates This is very important. Keep a copy of all Certificates and the associated Private Keys. Export a Certificate to a file by right-clicking on it then clicking Export. The exported information should be kept securely (e.g. on a floppy disk in a safe). If the backup includes a Private Key, the password for the backup file should be kept separate from the file itself. Creating a Certificate Folder Right-click on the node Certificates and click New > Certificate Folder to create a Certificate folder, which will appear in the Configurator under the Certificates node. Enter the name of the folder to be created. 18 User Guide

29 If the box Certificates placed in this folder will not be considered for use is checked, Certificates placed or imported into this folder will not be available for processing. This allows for importation and storage of Certificates which have not be manually verified as trustworthy. If this box is checked when a Folder is created, the Folder will be notated as Held when shown in the left pane of the Configurator. Click OK to create the folder. Creating a New Certificate General Right-click on the Certificates node or a Certificate Folder and click New > Certificate to create a new S/Mime Security Certificate (if this action is permitted by the Security Policies). Choose New > Advanced Certificate to see the full range of options. The Certificate may be self-signed. Alternatively, if the MailMarshal certificate database contains a CA certificate with the necessary attributes, the new Certificate may be signed using this CA Certificate. The General and Usage/Finish pages of the Wizard are always shown. When Advanced Certificate is selected, the Extensions and Subject Names pages are also shown. Common name (required field): This field typically shows the issuer name or certificate purpose. Subject This may be an individual address or a domain address. The Certificate will be valid to encrypt and sign related to this address. Note In most cases, for the Certificate to be used by MailMarshal the subject should be a domain address (see below for a definition). Use the arrow to the right of the field to enter the local part of a domain address. Chapter 3 Certificates 19

30 Organization name: the name of the organization which will use this certificate. Private key: Select a key from the list, or create a new one by clicking Create Key. Folder: Select the Certificate Folder into which to place this Certificate. (If a folder was selected earlier, its name will be entered in this field and cannot be changed.) A new folder may also be created - enter a name for it. Note To allow the Certificate to be used immediately, do not place it in a Folder marked Held. Validity dates: Select starting and ending validity dates for this Certificate. The default is a validity of one year beginning immediately. Issued by: Select the authority for the new certificate to be issued by. The choices in this list will include self-signing and any Certificates in the database marked as CA certificates that include a Private Key. (See Below). 20 User Guide

31 Extensions This page allows addition of optional information to the Certificate. It is only shown in the Advanced version of the wizard. Key Usage: Check the boxes corresponding to the purposes for which this certificate is to be used. By default the first four boxes are checked as these items are required for MailMarshal to use the Certificate. Digital Signature: Certificate can be used to sign a message assuring its origin and integrity. Non-Repudiation: Certificate can be used to guarantee acceptance of a transaction (e.g. to provide a receipt). Key Encryption: Certificate can be used to encrypt a key for inclusion with an . Data Encryption: Certificate can be used to encrypt the data in an . Certificate Signing: Certificate can be used to verify the trust of another Certificate. Chapter 3 Certificates 21

32 Key Agreement: Certificate can be used to agree on a private key over insecure networks. Constraints: Select whether this Certificate is to be recognized as coming from a Certificate Authority. If it is, specify the path length or number of intermediate certificates in a chain of trust which it can guarantee. Addresses: This list should contain any addresses (in addition to the domain address) for which this Certificate should be valid. Click Add to add an entry to the list. Select an entry and click Delete to remove it from the list. Doubleclick an entry to edit it. When adding or editing an address, use the arrow to the right of the field to enter the local part of a domain address. CRL Distribution Point: Optionally enter one or more URLs where Certificate Revocation Lists affecting this Certificate may be found. Subject Names Note This option must be selected if the Certificate is to be used to generate Proxy Certificates. This page shows a list of all text fields within the Subject of the certificate. It is only shown in the Advanced version of the wizard. Select any existing field to edit or delete it. To edit, click Edit then modify the text in the edit field. To delete the selected field click Delete. 22 User Guide

33 To add a new field, choose an available field name from the drop-down list, enter the desired text in the edit field, then click Add. Chapter 3 Certificates 23

34 Certificate Usage/Finish This page shows several parameters which affect the purposes for which the Certificate may be used. Trust Choose the level of trust for the certificate. If the new Certificate is signed by a CA Certificate, typically it should inherit trust from the issuer. Always Trusted allows the certificate to be used for encryption or signing of messages (subject to the expiry or revocation of the certificate). Never Trusted will cause messages related to this certificate to be rejected. Inherits Trust from Issuer (only available for CA issued certificates) bases the trust level on the trust for the root or intermediate certificate to which this certificate is chained (See Below). 24 User Guide

35 Preferred Use Check the appropriate boxes to indicate whether the certificate is preferred for encryption and/or signing purposes. Note If the preferred certificate is not usable (e.g. because it is out of date), another certificate for the same domain will be used, if available. This may cause an encrypted message to be undecryptable if the recipient does not have the appropriate key for the other certificate. For Messages Signed with this certificate: Choose whether to leave or strip (remove) a signature based on this key when it is found on incoming . Leave the signature: The signature is left on the delivered to the client. Strip the signature (default action): The signature is stripped from all incoming signed with this certificate. Strip the signature when domain signed: The signature is stripped from incoming signed with this certificate when it is domain signed (e.g. signed by another MailMarshal gateway). The signature should be left in desktop to desktop encryption situations so it can be verified by the client software. Otherwise it may safely be stripped (since MailMarshal will have verified it). Certificate Tasks Double-click any Certificate to view and edit its properties in the Certificate Properties dialog. Right-click a Certificate Folder and click Import to import one or more Certificates into this folder from a file. (This includes CA Certificates which have been requested using MailMarshal's Certificate Request facility.) Chapter 3 Certificates 25

36 When importing a Certificate, you may be prompted to choose whether the certificate is trusted. When importing a Certificate with a Private Key, you will be prompted for a password. Right-clicking a Certificate presents the following options. Not all options are available for every Certificate. Export: Export this certificate to a file. (This action will only be available for some Certificates.) See below for export options. New Proxy Certificate: Generate a new Proxy Certificate from a Domain Certificate. This action will only be available for Certificates marked as CA Certificates. Proxy Certificates: Search for all Proxy Certificates generated from this Certificate. The results will be shown in the Certificate Search Results. Reload Private Key: Attempt to re-synchronize the Private Key for this Certificate with the Encryption Provider. Go To Private Key: Find the related Key in the Private Keys node. Delete: Delete this certificate. Deleting the Certificate does not affect the Private Key. Warning Before deleting a Certificate ensure that no Secure Rules use it (i.e. it is not required for decryption or signing of messages). Checking Imported Certificates A certificate contains the encryption key for the related addresses. If the wrong certificate is installed, encryption may not function correctly and security may be broken. To check that the correct certificate is installed, compare the thumbprint of the certificate against the thumbprint of the certificate installed at the other site. In the MailMarshal Certificate Manager, select the certificate to be checked then click View Details. Two versions of the thumbprint, SHA1 and MD5, are given if available. Confirm the thumbprint string with the administrator or user at the other site. Perform this action for both sites' certificates. 26 User Guide

37 Exporting Certificates To export a Certificate (for backup or to exchange with another site), right click on a Certificate and select Export to use the Export Certificate Wizard. The first page of the wizard gives several important notes and warnings. Click Next to continue. In the next page (Format), select a file format for the export. X.509 format can be used for single certificates without private keys. PKCS#7 format can be used for multiple certificates or chains of certificates. PKCS #12 format can be used to export certificates with their associated private keys (if the keys are exportable), including chains of certificates. Note Private keys should only be exported for backup or other defined need. They should not be sent to ordinary encryption partners. Keep PKCS #12 Certificates and their passwords in separate secure locations. In the next page (Details), check Base64 Encoding to export the certificate in plain text format. This format may be required by some other software. To include all certificates in the chain of trust (PKCS#7 and PKCS#12 format only), check the box Include all certificates in certification path. Use this option to ensure that your encryption partner has everything they need to verify the trust of your certificate. If you selected PKCS #12 format, enter (and confirm) a password for the certificate. This should be a long, non-obvious password. Chapter 3 Certificates 27

38 In the next page (Details), check Base64 Encoding to export the certificate in plain text format. This format may be required by some other software. To include all certificates in the chain of trust (PKCS#7 and PKCS#12 format only), check the box Include all certificates in certification path. Use this option to ensure that your encryption partner has everything they need to verify the trust of your certificate. If you selected PKCS #12 format, enter (and confirm) a password for the certificate. This should be a long, non-obvious password. In the final page of the wizard, information on the certificate to be exported appears in the lower pane. Enter or browse to a file location and name. Click OK to export the certificate. 28 User Guide

39 Certificate Search To search for a particular certificate or for all certificates with a certain expiry date, rightclick on the Certificates node then select Find to see the Search for Certificates dialog. If a certificate with a particular issuer is selected, the search will be limited to Certificates with that issuer. Note All entries on all tabs of this dialog are optional; however at least one choice must be made for any results to be returned. When all conditions have been entered, click OK to begin the search. Results will be shown in the Certificate Search Results node (shown in the right pane of the Configurator). Chapter 3 Certificates 29

40 Main Subject Contains: Fields in the Subject area of the certificate will be searched for this string. (This will include the issuer, common name, and other detail fields.) The wildcards * and? may be used. Address: Complete addresses (as visible on the General tab of Certificate Properties) will be searched for using this string. The wildcards * and? may be used. Expiry date and time (optional): (use the pull-down and spin boxes to change the entries). Typically this option will be used to find certificates nearing expiry. Conditions Select the desired attributes of the certificate to search for by checking the boxes. Where detailed information must be entered, click the red hyperlinks in the lower pane to enter it. Trust Type: choose the trust types to search for using the Trust Types dialog. Private Key: select this option to limit the search to certificates which have a Private Key. Self Signed: select this option to limit the search to certificates which are Self Signed. Certificate Authority: select this option to limit the search to certificates which are signed by a Certificate Authority (including MailMarshal self-signed CA certificates). Proxy: select this option to limit the search to Proxy Certificates (individual address certificates created from a Domain Certificate). Folder: choose the folders to search in using the Select Folder dialog. 30 User Guide

41 Status Limit the certificates to search for by checking any of the boxes. To choose to search on the presence or absence of the attribute, click the red hyperlinks in the lower pane to use the Certificate Status dialog. Valid: choose to limit the search to valid or invalid certificates. Trusted: choose to limit the search to trusted or untrusted certificates. Verified: choose to limit the search to verified or unverified certificates. Revoked: choose to limit the search to revoked or unrevoked certificates. Missing CRL: choose to limit the search to certificates which have (or are missing) a CRL. Missing Issuer: choose to limit the search to certificates without (or with) a named issuer. CRL Expired: choose to limit the search to certificates whose Certificate Revocation List has expired (or not expired). CRL Distribution Point: choose to limit the search to certificates which have or lack a CRL Distribution Point. Trust Search Options This dialog allows the Certificate search results to be limited to Certificates with particular trust characteristics. Select one or more trust types by checking the appropriate boxes. Trusted: certificates which are marked as implicitly or always trusted. Not Trusted: certificates which are marked as never trusted, or implicitly not trusted. Inherited: certificates which have been set to inherit their trust level from a chain of trust (intermediate and/or root certificates). Chapter 3 Certificates 31

42 Certificate Properties General Usage This dialog has four tabs which allow many properties of a Certificate to be viewed and edited. The issuer and validity dates, type and status, and location of the Certificate are shown. A list of the addresses for which the Certificate can be used is given. If the Certificate is used for domain encryption or signing, a domain address will be shown in the list. If permitted by the Security Policies, this list can be edited. Click Add to add a new address to the list. Double-click any address to edit it. Highlight an address and click Delete to remove it. Addresses which cannot be edited (because they are permanently encoded in the Certificate) are indicated by a no writing icon. Use the arrow to the right of the field to enter the local part of a domain address. This tab shows several parameters which affect the purposes for which the Certificate may be used. Trust View or choose the level of trust for the certificate. Note that the trust level for some individual and domain certificates may depend on the level of trust granted to intermediate certificates. Always Trusted allows the certificate to be used for encryption or signing of messages (subject to the expiry or revocation of the certificate). Never Trusted will cause messages related to this certificate to be rejected. Inherits Trust from Issuer (only available for CA issued certificates) bases the trust level on the trust for the root or intermediate certificate to which this certificate is chained. 32 User Guide

43 Preferred Use Check the appropriate boxes to indicate whether the certificate is preferred for encryption and/or signing purposes. Note If the preferred certificate is not usable (e.g. because it is out of date or revoked), another certificate for the same domain will be used, if available. This may cause an encrypted message to be undecryptable if the recipient does not have the appropriate key. For Messages Signed Choose whether to leave or remove a signature based on this key when it is found on incoming . Typically the signature will be removed in gateway to gateway encryption situations (since MailMarshal has verified it). The signature should be left in desktop to desktop encryption situations so it can be verified by the client software. Certificate Details This tab of Certificate Properties shows detailed information about the certificate. Select any item on the top pane to see details in the bottom pane. Certification Path The upper pane of this tab shows the chain of trust through which this certificate is issued. The chain may include intermediate and root certificates from a Certificate Authority, as well as the certificate itself. For instance, MailMarshal Proxy Certificates are chained to the appropriate Domain Certificate. If other certificates appear in the chain of trust, select one and click Properties to view its details in a new Certificate Properties dialog. Chapter 3 Certificates 33

44 Proxy Certificates A Proxy Certificate is a S/MIME Security Certificate for a specific user in a domain which has a Domain Certificate. These certificates may be used in desktop-to-desktop encryption for the specific user. A Proxy Certificate can be generated from any Domain Certificate which is marked as a CA Certificate. See the information on Secure Rule Actions for uses of Proxy Certificates. Note MailMarshal Secure will generate Proxy Certificates on the fly and retain them for future use. It is not normally necessary to create Proxy Certificates manually. Proxy Certificates require a specific Domain Certificate for each domain supported. New Proxy Certificate In order to be used to create a Proxy Certificate, the parent Certificate must be marked as a CA certificate and must contain one of the domain addresses for the domain. Enter an user name to be used as the subject of this Certificate and click OK. The Proxy Certificate will be placed in the Certificate folder Proxy Certificates (which will be created if necessary). The error Invalid ascendant address indicates that the parent Certificate is not a valid domain Certificate for the address entered. Domain Address In order for a Certificate to be fully usable for Domain Encryption, Domain Signing, and creation of Proxy Certificates, it must have a special subject . The three acceptable addresses for these purposes are: 34 User Guide

45 Note When adding or editing an address, use the arrow to the right of the field to enter the local part of a domain address. Add the appropriate domain portion. Within MailMarshal's Certificate dialogs, the local part of these addresses may also be entered in abbreviated form as <dca>, <dsa>, and <ra>. MailMarshal will use these shorthand versions of the addresses when displaying the Certificate in the main Configurator view. The full addresses are shown in the Certificate Properties dialog. If a Domain Certificate has been created without a suitable address, it may be possible to add the address later. See Certificate Properties on page 32. Chapter 3 Certificates 35

46 36 User Guide

47 Chapter 4 Private Keys This node of the Configurator shows all Private Keys which have been created or imported in MailMarshal, and other keys found in the Cryptographic Service Provider. Private Keys are used to sign and decrypt . IMPORTANT The security of your encrypted depends on keeping Private Keys secure. Backing Up Keys This is very important. Keep a copy of all Private Keys and the associated Certificates. Export a Private Key to a file by right-clicking on it then clicking Export. The exported information should be kept securely (e.g. on a floppy disk in a safe). The file password should be kept in a separate secure location. Note By default MailMarshal creates Private Keys marked non-exportable (for security reasons). When a non-exportable key is created by MailMarshal, you are given the option to make a backup immediately after creating the Key. There is no other opportunity to back up non-exportable keys. The choice to create exportable Private Keys is made on the Security Properties dialog reached from the Secure tab of Server Properties. Chapter 4 Private Keys 37

48 Private Keys Tasks A Key shown in red indicates that the Key is not validly present in the current Cryptographic Provider. A key shown in blue indicates that the Key is present in the Cryptographic Provider but is used only by other applications and not by MailMarshal. (These Keys are available for use by MailMarshal.) Double-click any key in the right pane (or in a sub-node) to see a list of all Certificates which use this key. Right-click on the node then choose New > Private Key to open the Create Key dialog. Choose Import to import a Key created elsewhere. Right-click on any private key to select from the following options: Properties: See detailed information about this Key. New > Certificate: Create a certificate using this Key. Delete: Delete the Key. Warning Deleting a private key will render any Certificates based on it useless. MailMarshal will raise a warning if any Certificates depend on the Key. Export Private Key This dialog is used to export Private Key information to a file. The file may be used as a backup. There is normally no reason to share this file with anyone inside or outside the organization. Select a location and name for the export file. Enter a password (used to import the file). 38 User Guide

49 The exported information should be kept securely (e.g. on a floppy disk in a safe). The file password should be kept in a separate secure location. Note For security reasons, MailMarshal creates Private Keys marked non-exportable by default. When a non-exportable key is created by MailMarshal, you have the option to make a backup immediately after creating the Key. There is no other opportunity to back up non-exportable keys. The choice to create exportable Private Keys is made on the Security Properties dialog reached from the Secure tab of Server Properties. Create Key Use this dialog to create a new Private Key for use with S/MIME Certificates (See Below). A unique name is provided. You may edit it but for clarity it should not be the same as any other Private Key name in the database. Select a key size from the list. Larger keys are more secure in general, but may cause compatibility problems. Enter a description for the key if desired. The checkbox Key is not exportable controls whether the Key can be exported to a file later. If the Security Policies allow exportable private keys, this box will be enabled so that you can chose whether to make the key exportable. If the Security Policies do not allow exportable private keys, this box will be disabled and the new key will not be exportable. Chapter 4 Private Keys 39