iOS IV: Use S/MIME Signing and Encryption
Prerequisites
- Supported Server Operating Systems
- Certificate Authority is installed on Windows Server 2008 R2
- Certificate Authority is installed on Windows Server 2012
- Certificate Authority is installed on Windows Server 2016
- Certification Authority Server needs the following configured roles
- Certification Authority
- Certification Authority Web Enrollment
- Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site)
- Certification Authority and Silverback Server are joined to the same Active Directory Domain
- When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined
- Service Account for publishing certificates into Active Directory User Object
- Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group
- Please refer to Installation Guide I: System Requirements
- An enrolled iOS device
Certificate Authority
- Log into your Certification Authority server
Create Enrollment Agent Certificate Template
You might created the Enrollment Agent Certificate Template already during the previous Guide.
- Open the Certification Authority MMC snap-in.
- Choose from Server Manager > Tools > Certification Authority
- Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
- Expand the Configuration Tree on the Right until the Certificate Templates section is visible
- Right Click Certificate Templates
- Click Manage
- Right Click Enrollment Agent in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback Enrollment Agent
- Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
- Now navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Proceed with Yes at prompt for wish to change the certificate purpose
- Include symmetric algorithms allowed by the subject: Enabled
- Allow private key to be exported: Enabled
- Select Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Ensure the following values are configured:
- Built from this Active Directory information: Enabled
- Subject Name is set to Fully distinguished name
- User principal name (UPN): Enabled
Security
- Navigate to Security
- Click Add
- Enter in the "Enter the object names to select " the service account you want to use
- Click Check Names
- Select the service account that you want to use
- Click OK
- Allow Read and Enroll Permissions
- Click OK to finish Template Configuration
Create User Certificate Template
- Right Click User in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback User
- Enter as Template name: SilverbackUser (will be filled automatically)
- Uncheck Publish certificate in Active Directory
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature and encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Ensure that CA certificate manager approval is unchecked
Extensions
- Navigate to Extensions
- Select Application Policies
- Click Edit
- Select Encrypting File System
- Click Remove
- Click OK
Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
- Click on to finish Template Configuration
Create Signing Certificate Template
- Right Click Exchange Signature Only in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback SMIME Signing
- Enter as Template name: SilverbackSMIMESigning (will be filled automatically)
- Enabled Publish certificate in Active Directory
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Signature
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Enable This number of authorized signatures and keep default value 1
- Change Application policy to Certificate Request Agent
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
- Click on to finish Template Configuration
Create Encryption Certificate Template
- Right Click Exchange User in the middle pane
- Click Duplicate Template
- When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
- Select Windows Server 2003 Enterprise
- Click OK
General
- Navigate to General
- Enter as Template Display Name: Silverback SMIME Encryption
- Enter as Template name: SilverbackSMIMEEncryption (will be filled automatically)
- Enabled Publish certificate in Active Directory
Request Handling
- Navigate to Request Handling
- Make sure that the configuration will be the following:
- Purpose: Encryption
- Enabled Include symmetric algorithms allowed by the subject
- Enabled Allow private key to be exported
- Selected Enroll subject without requiring any user input
Subject Name
- Navigate to Subject Name
- Enable Supply in the request
- Click OK to confirm
Issuance Requirements
- Navigate to Issuance Requirements
- Enable This number of authorized signatures and keep default value 1
- Change Application policy to Certificate Request Agent
Security
- Navigate to Security
- Select Authenticated Users
- Enable Read and Enroll Permissions
- Click Add
- Enter in the "Enter the object names to select": Silverback
- Click Check Names
- Select Silverback Enterprise Device Management
- Click Ok
- Enable Read and Enroll Permissions
- Click on to finish Template Configuration
Issue Certificate Templates
- Navigate to Certification Authority window
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Silverback Enrollment Agent
- Click OK
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Silverback User
- Click OK
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Silverback SMIME Signing
- Click OK
- Right Click Certificate Templates
- Select New
- Click Certificate Template to Issue
- Select Silverback SMIME Encryption
- Click OK
Create Enrollment Agent Certificate Request
- Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
- Open Internet Explorer
- Enter URL for the Certification Authority Web Enrollment web site
- Click Continue to this website
- Login with your Service Account
If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account
- Click Request a certificate
- Click advanced certificate request
- Click Create and submit a request to this CA
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
- You will be redirected directly Submit a Certificate Request or Renewal Request Action
- Open Compatibility View Settings on Internet Explorer
- Click Add to add your domain (e.g. imagoverum.com) and Close the Window
- Navigate back to Request a certificate step and try again (maybe refresh your browser)
- When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
- After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm
- If you don't see this and your CSP keeps loading, open Internet options
- Navigate to Security
- Select Trusted Sites
- Click Sites
- Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
- Click Close
- Click OK
- Refresh this page, you should see now the pop-op
- Click Yes
- Change Certificate Template to Silverback Enrollment Agent
- Click Submit
- Click Yes
Install Certificate
- Click Install this certificate
- Your new certificate should be successfully installed
Export Certificate from Current User
- Right click Windows Icon in taskbar
- Click Run
- Enter certmgr.msc
- Click OK or press enter
- Expand Personal
- Expand Certificates
- Right Click the installed certificate
- Click All Tasks
- Click Export
- Click Next
- Click Yes, export the private key
- Click Next
- Uncheck Include all certificates in the certification path if possible
- Click Next
- Enable Password
- Enter a Password
- Confirm Password
- Click Next
- Click Browse
- Choose your location and save it as a *.pfx file
- Click Next
- Click Finish
- Click OK
Import Certificate to Local Computer
- Login to your Silverback or Cloud Connector server as a Domain Administrator
- Right click Windows Icon in taskbar
- Click Run
- Enter certlm.msc
- Click OK or press enter
- Expand Personal
- Expand Certificates
- Perform a right click in the right pane
- Select All Tasks
- Select Import
- Click Next
- Click Browse
- Select your *.pfx file
Change Search to All Files (*.*)
- Click Open
- Click Next
- Enter your created password
- Enable Mark this key as exportable
- Click Next
- Ensure that Personal is selected
- Click Next
- Click Finish
- Click OK
Add Permission
- Right click the new imported enrollment agent certificate
- Select All Tasks
- Select Manage Private Keys
- Click Add
- Enter network
- Click Check Names
- Select Network Service
- Click OK
- Click OK
- Ensure that only Read is allowed
- Uncheck Full control
- Click Apply
- Click OK
Silverback
Add Certification Authority
- Open your Silverback Management Console
- Login as an Settings Administrator
- Navigate to Certificates
- Under Certificate Deployment enable Individual Client
- Enter your Certificate Authority in the following format:
- ca.imagoverum.com\domain-server-CA
- ca.imagoverum.com\domain-server-CA
Add Templates and Subject Names
- Under Templates add your previously issued User Certificate Template
- e.g. SilverbackUser
- Under S/MIME Settings add the following:
- Encryption Template Name: SilverbackSMIMEEncryption
- Encryption Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Encrypt
- Signing Template Name: SilverbackSMIMESigning
- Signing Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Signing
- Agent Certificate: Select from the drop down list the previously created Enrollment Agent Certificate
- Or if you are running with a Cloud Connector, paste the thumbprint manually: e.g. d17843663fbaa87f49c4e97cd860867efc2c20b6
- Click Save
- Confirm with OK
From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate
Restart IIS
- Run PowerShell with elevated priviledges
- Run the following command:
- restart-service w3svc,silv*,epic*,mat*
Change User
- Logout as Settings Administrator
- Login as Administrator
Certificate Trusts
Create a new Certificate Trust Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. iOS Certificate Trusts
- Enter as description e.g. Certificate Trusts for S/MIME (optional)
- Enable Profile under Enabled Features
- Enable your desired devices, e.g. iPhone or iPad
- Click Save
Create Certificate Trust Profile
- Navigate to Profile
- Navigate to Exchange Certificate Trusts
- Add all your required Root and Intermediate Certificates
- Navigate to Definition
- Click Associated Devices
- Click Attach More Devices
- Select your enrolled devices
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Check Device
- On your device open Settings
- Navigate to General
- Navigate to Profiles & Device Management
- Select Silverback MDM Profile
- Select More Details
- Check under Certificates if your Certificate Trust certificates are listed
Exchange Active Sync
Create a new Exchange ActiveSync Tag
- Navigate to Tags
- Click New Tag
- Name it e.g. iOS Exchange ActiveSync
- Enter as description e.g. Exchange with certificate based authentication and S/MIME (optional)
- Enable Profile under Enabled Features
- Enable your desired device, e.g. iPhone or iPad
- Click Save
Create Exchange ActiveSync Profile
- Navigate to Profile
- Navigate to Exchange ActiveSync
- Click New Profile
- Enter a Label Name: e.g. Imagoverum Exchange
- Enter a Server Name: e.g. mail.imagoverum.com
- Enable Certificate Distribution for signing certificates with the following settings:
- Enable S/MIME Signing and/or
- Allow user to enable or disable S/MIME signing
- Enable Certificate Distribution for encryption certificates with the following settings:
- Enable Enable S/MIME encryption by default and/or
- Allow user to enable or disable S/MIME encryption
- Configure Additional S/MIME Settings
- Configure Additional Settings
- Click Save
- Click OK
- Navigate to Definition
- Click Associated Devices
- Click Attach More Devices
- Select your enrolled devices
- Click Attach Selected Devices
- Click OK
- Click Close
- Click Push to devices
- Click OK
Check Device
- On your device open Settings
- Navigate to General
- Navigate to Profiles & Device Management
- Select Silverback MDM Profile
- Select More Details
- You should now see two new certificates
- e.g. u_Tim.Tober_Encrypt
- e.g. u_Tim.Tober_Sign
- You should now see two new certificates
- Tab on the top Profile
- Navigate to Accounts
- Your previously created Exchange Account should be listed
- Tab on the Account
- Check your configured S/MIME Settings
- Open Mail
- You should be logged in automatically
- You should receive now emails
Check Certification Authority
- Go back to your Certification Authority
- Navigate to Issued Certificates
- Right click and click refresh
- First, you should see now a newly issued certificate with the requester name Domain\Silverback$ with the SilverbackUser Template
- Second, you should see now a newly issued certificate with the requester name (e.g. tim.tober) with the Silverback SMIME Encryption Template
- Third, you should see now a newly issued certificate with the requester name (e.g. tim.tober) with the Silverback SMIME Signing Template
Check Active Directory
- Open Active Directory User and Computers
- Open your corresponding User Object
- Navigate to Published Certificates
- Here you should see 2 new certificates
- As an alternative navigate to Attribute Editor
- Scroll down to userCertificate
- Click Edit
- Here you should see new certificates in an encrypted format
Swap Certificates and send mails
- On your first device open Mail
- Create a new Message
- Enter the Email address of your S/MIME partner
- Ensure that the Mail will be unencrypted (Lock Symbol)
- Enter as Subject e.g. Signing Certificate Exchange
- Enter something as a Text
- Send the email to your S/MIME Partner
- On your S/MIME Partner Device
- Open the sent mail
- Tab on the Senders Name
- Select View Encryption Certificate
- Click Install
- Click Done
- Write a new mail to your S/MIME partner
- Enter the Email address of your S/MIME partner
- Ensure that the Mail will be unencrypted (Lock Symbol)
- Enter as Subject e.g. Signing Certificate Exchange
- Enter something as a Text
- Send the email to your S/MIME Partner
- On first S/MIME Partner Device
- Open the sent mail
- Tab on the Senders Name
- Select View Encryption Certificate
- Click Install
- Click Done
- Write a new mail to your S/MIME partner
- Enter the Email address of your S/MIME partner
- Ensure that the Mail will be encrypted this time (Lock Symbol)
- Enter as Subject e.g. Encrypted Message
- Enter as Text e.g. This is an encrypted message
- Send the email to your S/MIME Partner
- On your S/MIME Partner Device
- Open the new message
- You should be able to read the encrypted message
- Crosscheck on any other available device, there you should not be able to read the message.