Mail Gateway Integration XI: Enterprise Certificate Authentication
Self Signed Certificate
Use OpenSSL or suitable certificate generation tool to create a client certificate. The certificate must have the “Client Authentication” key usage. From a Windows Desktop or Server in an environment with a Microsoft Certificate Authority, the “certreq” tool can be used with the following steps.
Create .inf File
- Open Any Text Edit, e.g. Notepad++
- Import the Following Template
[NewRequest] Subject = "CN=imagoverum.com" Exportable = TRUE RequestType = CMC KeyLength = 2048 Provider Type = 24 [RequestAttributes] CertificateTemplate = "User" SAN="upn=eas@imagoverum.com&email=eas@imagoverum.com"
- Adjust the following values
- Subject: Change the value with to a desired certificate subject text
- CertificateTemplate: Enter a template name, which your Certificate Authority will recognize as a User Certificate template.
- SAN: change the UPN and Email attributes to values, which will be recognizable in your environment. The value is not critical, but it should be clear to users looking at the certificate that its purpose is for the Mail Gateway
- After changing the save the file as certreq.inf
- Save the file under e.g. C:\temp\
Request a Certificate
- Open Command Prompt as an Administrator
- Execute the following command
certreq –new C:\temp\certreq.inf C:\temp\certreq.req
- Under C:\temp a new file should have been created with the name certreq.req
- Adjust now the following command with your Certification Authority
certreq –submit –config “ca.imagoverum.com/Imagoverum-CA” C:\temp\certreq.req C:\temp\certificate.cer
- Under C:\temp a new file should have been created with the name certificate.cer
Import Certificate
If you did all these steps not on the Mail Gateway server, you need to copy the certificate.cer file to the Mail Gateway Server before processing with the next steps.
- Navigate to your Mail Gateway Server
- Right Click the certificate.cer file
- Select Install Certificate
- Change Store Location to Local Machine
- Click Next
- Select Place all certificates in the following store
- Click Browse
- Select Trusted Root Certification Authorities
- Click OK
- Click Next
- Click Finish
- Confirm with yes
Change Registry Settings
It is recommended to backup the registry before making any modification to your registry.
- Open Any Text Edit, e.g. Notepad++
- Import the Following Template
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "ClientAuthTrustMode"=dword:00000002 "SendTrustedIssuerList"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443] "DefaultSslCertCheckMode"=dword:0000000
- Save the file as security.reg
- Execute the file after saving to import these values to your registry