Skip to main content
Matrix42 Self-Service Help Center

Mail Gateway Integration X: User Based Certificate Authentication

Requirements

Import Root CA Certificate

  • Open certlm.msc on your Mail Gateway server
  • Expand Trusted Root Certificate Authorities
  • Right-Click Certificates
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your Root CA Certificate
  • Click Next
  • Click Next
  • Click Finish
  • Confirm with Yes
  • Close with OK

Import Intermediate Certificate (Optional)

  • Expand Intermediate Root Certificate Authorities
  • Right-Click Certificates
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your Intermediate CA Certificate
  • Click Next
  • Click Next
  • Click Finish
  • Confirm with Yes
  • Close with OK

Enable Certificate Authentication

SSL Settings

  • Open Internet Information Services (IIS) Manager
  • Expand your Server
  • Expand Sites
  • Click on Default Web Site
  • Double Click on SSL Settings
  • Enable Require SSL
  • Change Client certificate to Require
  • Click Apply
  • Restart IIS

Additional Steps for Windows Server 2022

  • Right Click Default Web Site
  • Click Edit Bindings
  • Double-click the https entry
  • Activate the Disable TLS 1.3 over TCP checkbox 
  • Click OK
  • Click Close
  • Restart IIS

Check Connection

  • Try to open the following URL from a workstation or from a mobile device
    • https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
  • You should be prompted for a certificate
  • Enroll a device and assign an Tag which will distribute a certificate to the device
  • On the mobile device, try to open e.g.
    • https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
  • You should be prompted for a certificate
  • Select the user certificate
  • You should now see the same results as described in Mail Gateway Integration VI: Connection Check

Server Hardening

We have now set up an IIS reverse proxy with Microsoft Board Tools and activated and checked certificate-based authentication. Now it is time to consider another important topic, which we will highlight in the following chapters. 

Remove Trusted Root Certificates

At this time, the default setting and logic is to accept certificates for authentication whose root and intermediate certificates are located on the Windows server. As you likely only want your own certificates from your CA, which are distributed via Silverback, to be trusted, you only need to provide the necessary certificates and remove those that are not required. To address this, we have provided a possible template for keeping two selected certificates as an example in the following Powershell script. Adjust the template, and ensure to run this script as an administrator, as removing Trusted Root Certificates requires administrative privileges. Test the script in a safe environment before running it in a production environment. Overall, the script contains the following steps: 

  1. Define the thumbprints: This script starts by defining an array $thumbprintsToKeep containing the thumbprints of the certificates you want to keep. Replace "YOUR_FIRST_CERT_THUMBPRINT" and "YOUR_SECOND_CERT_THUMBPRINT" with the actual thumbprints of your certificates.
  2. Open the certificate store: The script opens the Trusted Root Certification Authorities store in read-write mode.
  3. Iterate over the certificates: The script loops through all certificates in the Trusted Root store.
  4. Remove certificates: It removes each certificate whose thumbprint is not in the $thumbprintsToKeep array.
  5. Close the certificate store: Finally, the script closes the certificate store.
# Define the thumbprints of the certificates to keep
$thumbprintsToKeep = @(
    "YOUR_FIRST_CERT_THUMBPRINT",
    "YOUR_SECOND_CERT_THUMBPRINT"
    # Add more thumbprints as needed
)

# Open the Trusted Root Certification Authorities store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "LocalMachine"
$rootStore.Open("ReadWrite")
$certificates = $rootStore.Certificates

foreach ($cert in $certificates) {
    if ($thumbprintsToKeep -notcontains $cert.Thumbprint) {
        # Remove the certificate if its thumbprint is not in the list of thumbprints to keep
        Write-Output "Removing certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)"
        $rootStore.Remove($cert)
    } else {
        Write-Output "Keeping certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)"
    }
}

# Close the certificate store
$rootStore.Close()

Remain only required certificates

To prevent the list of certificates in the Trusted Root Certification Authorities store from being automatically refreshed, for instance in response to a Windows update, you have a few options at your disposal: 

  • It is possible to deactivate the automatic updates of the list of trusted root certificates.  Open gpedit.msc and select Administrative Templates > System > Internet Communication Management, and then press Internet Communication settings. Double-click Turn off Automatic Root Certificates Update, click Disabled, and then click OK.
  • As an alternative, you may choose to run the PowerShell script you have modified at a designated interval using the Task Scheduler board tool. The following configuration example demonstrates how to run the PowerShell script on a Windows Server 2019 with administrative privileges configured every 15 minutes.
    • Type taskschd.msc or Task Scheduler in the search bar and press Enter
    • Click on Create Task in the right Actions pane
    • Now configure the following settings in the respective tabs of the Task Scheduler:
      • General
        • Name: Your Task Name
        • Description: Your Task Description
        • Run whether user is logged on or not
        • Run with highest privileges
        • Configure for: Windows Server 2019
      • Triggers
        • Begin the task: On a schedule
        • Settings: Daily
        • Start: Select start date and time
        • Advanced settings: Repeat task every 15 minutes, for a duration of Indefinitely
      • Actions
        • Action: Start a program
        • Program/script: powershell.exe
          • e.g. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        • Add arguments: -File "C:\Path\To\YourScript.ps1"
      • Conditions
        • Uncheck any conditions that may prevent task execution
      • Settings
        • Allow task to be run on demand
        • Run task as soon as possible after a scheduled start is missed
        • If the task fails, restart every 1 minute for 3 retries (or as desired)
    • To finish, press OK and enter the credentials of an administrator when prompted
  • Was this article helpful?