Skip to main content
Matrix42 Self-Service Help Center

Mail Gateway Integration XI: Enterprise Certificate Authentication

Requirements

Create Enterprise Certificates

The first step is to create or use a key pair with a private and public key. The certificate with the private key will be distributed via Silverback to your managed devices and the certificate with the public key must be stored on the server under the Trusted Root Certification Authorities. You can either have a user certificate issued by your CA or use OpenSSL or, as shown in the example, PowerShell to create a self-signed certificate pair. Ensure that the certificate have the Client Authentication key usage. Adjust the following values and run the PowerShell Script on your Mail Gateway server: 

  • $certSubject: Change the value with to a  desired certificate subject text
  • $certSAN: change the UPN and Email attributes to values, which will be recognizable in your environment. The value is not critical, but it should be clear to users looking at the certificate that its purpose is for the Mail Gateway
  • $password: Change YourPassword to your custom password

 Make sure that the folder C:\Certificates has not yet been created on your Mail Gateway server before starting, otherwise the script may not work properly.

# Parameters
$certSubject = "CN=imagoverum.com"
$certSAN = @("upn=eas@imagoverum.com", "email=eas@imagoverum.com")
$certDirectory = "C:\Certificates"
$pfxPath = "C:\Certificates\Certificate.pfx"
$cerPath = "C:\Certificates\Certificate.cer"
$password = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText

# Create the directory if it doesn't exist
if (-not (Test-Path -Path $certDirectory)) {
    New-Item -Path $certDirectory -ItemType Directory
    Write-Output "Directory created: $certDirectory"
} else {
    Write-Output "Directory already exists: $certDirectory"
}

# Create the self-signed certificate with the specified parameters
$cert = New-SelfSignedCertificate `
    -Subject $certSubject `
    -DnsName $certSAN `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -KeySpec KeyExchange `
    -KeyLength 2048 `
    -NotAfter (Get-Date).AddYears(2) `

# Export the certificate with the private key to a PFX file
Export-PfxCertificate `
    -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" `
    -FilePath $pfxPath `
    -Password $password

# Export the certificate with the public key to a CER file
Export-Certificate `
    -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" `
    -FilePath $cerPath

Review Certificates

  • Open the File Explorer and navigate to C:\Certificates
  • You should see now 2 files
    • Certificate.pfx
    • Certificate.cer

Import Public Key

  • Right Click the certificate.cer file
  • Select Install Certificate
  • Change Store Location to Local Machine
  • Click Next
  • Select Place all certificates in the following store
  • Click Browse
  • Select Trusted Root Certification Authorities
  • Click OK
  • Click Next
  • Click Finish
  • Confirm with yes

Change Registry Settings

  • Open Any Text Edit, e.g. Notepad++
  • Import the following template
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"ClientAuthTrustMode"=dword:00000002
"SendTrustedIssuerList"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
"DefaultSslCertCheckMode"=dword:0000000
  • Save the file as security.reg
  • Acknowledge the overview of changes below
  • Take a backup of the two registry key by exporting them
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443
  • Execute the file after saving to import these values to your registry
  • Reboot your Server and proceed with SSL Settings
DWORD 32-bit Description Options Setting Impact
ClientAuthTrustMode Determines how the server should handle client certificate trust during mutual authentication (when the server requires a client certificate).
  • Value 0: Do not require client certificates.
  • Value 1: Require client certificates and trust all certificates presented by clients.
  • Value 2: Require client certificates but use certificate trust based on the root and intermediate CA certificates trusted by the server.
2 With ClientAuthTrustMode set to 2, the server requires client certificates and validates them against the list of trusted root and intermediate CAs in the server's certificate store
SendTrustedIssuerList Determines whether the server sends its list of trusted issuers to clients during the SSL/TLS handshake.
  • Value 0: Do not send the list of trusted issuers.
  • Value 1: Send the list of trusted issuers to clients.
0 With SendTrustedIssuerList set to 0, the server does not send its list of trusted issuers to clients. This can be a security measure to prevent clients from obtaining the list of trusted certificate authorities. If this setting were 1, the client would receive information about the CAs that the server trusts, which could potentially assist the client in selecting a suitable client certificate.
DefaultSslCertCheckMode Controls the default certificate check mode for SSL/TLS bindings on the specified port (in this case, port 443).
  • Value 0: Perform basic certificate validation.
  • Value 1: Perform extended certificate validation, including additional checks.
0 Impact: With DefaultSslCertCheckMode set to 0, the server performs basic validation of SSL/TLS certificates. This includes checking if the certificate is expired, not yet valid, and properly signed by a trusted CA. Setting it to 1 would enable more stringent checks, which might include more comprehensive validation criteria, such as checking certificate revocation status.

SSL Settings 

  • Open Internet Information Services (IIS) Manager
  • Expand your Server
  • Expand Sites
  • Click on Default Web Site
  • Double Click on SSL Settings
  • Enable Require SSL
  • Change Client certificate to Require
  • Click Apply
  • Restart IIS

Additional Steps for Windows Server 2022 

  • Open Internet Information Services (IIS) Manager
  • Expand your Server
  • Expand Sites
  • Right Click Default Web Site
  • Click Edit Bindings
  • Double-click the https entry
  • Activate the Disable TLS 1.3 over TCP checkbox 
  • Click OK
  • Click Close
  • Restart IIS

Check Connection

  • Try to open the following URL from a workstation or from a mobile device
    • https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
  • You should be prompted for a certificate
  • Enroll a device and assign an Tag which will distribute a certificate to the device
    • e.g. with the Certificate Profile on Android Enterprise
    • or try to install your *.pfx manually on a device 
  • On the mobile device, try to open e.g.
    • https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
  • You should be prompted for a certificate
  • Select the user certificate
  • You should now see the same results as described in Mail Gateway Integration VI: Connection Check

Server Hardening

We have now set up an IIS reverse proxy with Microsoft Board Tools and activated and checked certificate-based authentication. Now it is time to consider another important topic, which we will highlight in the following chapters. 

Remove Trusted Root Certificates

At this time, the default setting and logic is to accept certificates for authentication whose root and intermediate certificates are located on the Windows server. As you likely only want your own certificate, which is distributed via Silverback, to be trusted, you only need to provide the necessary certificate and remove those that are not required. To address this, we have provided a possible template for keeping one certificate as an example in the following Powershell script. Adjust the Template, and ensure to run this script as an administrator, as removing Trusted Root Certificates requires administrative privileges. Test the script in a safe environment before running it in a production environment. Overall, the script contains the following steps: 

  1. Define the thumbprints: This script starts by defining an array $thumbprintsToKeep containing the thumbprints of the certificates you want to keep. Replace "YOUR_FIRST_CERT_THUMBPRINT" with the actual thumbprint of your certificate.
  2. Open the certificate store: The script opens the Trusted Root Certification Authorities store in read-write mode.
  3. Iterate over the certificate: The script loops through all certificates in the Trusted Root store.
  4. Remove certificate: It removes each certificate whose thumbprint is not in the $thumbprintsToKeep array.
  5. Close the certificate store: Finally, the script closes the certificate store.
# Define the thumbprints of the certificates to keep
$thumbprintsToKeep = @(
    "YOUR_FIRST_CERT_THUMBPRINT"
    # Add more thumbprints as needed
)

# Open the Trusted Root Certification Authorities store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "LocalMachine"
$rootStore.Open("ReadWrite")
$certificates = $rootStore.Certificates

foreach ($cert in $certificates) {
    if ($thumbprintsToKeep -notcontains $cert.Thumbprint) {
        # Remove the certificate if its thumbprint is not in the list of thumbprints to keep
        Write-Output "Removing certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)"
        $rootStore.Remove($cert)
    } else {
        Write-Output "Keeping certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)"
    }
}

# Close the certificate store
$rootStore.Close()

Remain only required certificates

To prevent the list of certificates in the Trusted Root Certification Authorities store from being automatically refreshed, for instance in response to a Windows update, you have a few options at your disposal: 

  • It is possible to deactivate the automatic updates of the list of trusted root certificates.  Open gpedit.msc and select Administrative Templates > System > Internet Communication Management, and then press Internet Communication settings. Double-click Turn off Automatic Root Certificates Update, click Disabled, and then click OK.
  • As an alternative, you may choose to run the PowerShell script you have modified at a designated interval using the Task Scheduler board tool. The following configuration example demonstrates how to run the PowerShell script on a Windows Server 2019 with administrative privileges configured every 15 minutes.
    • Type taskschd.msc or Task Scheduler in the search bar and press Enter
    • Click on Create Task in the right Actions pane
    • Now configure the following settings in the respective tabs of the Task Scheduler:
      • General
        • Name: Your Task Name
        • Description: Your Task Description
        • Run whether user is logged on or not
        • Run with highest privileges
        • Configure for: Windows Server 2019
      • Triggers
        • Begin the task: On a schedule
        • Settings: Daily
        • Start: Select start date and time
        • Advanced settings: Repeat task every 15 minutes, for a duration of Indefinitely
      • Actions
        • Action: Start a program
        • Program/script: powershell.exe
          • e.g. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        • Add arguments: -File "C:\Path\To\YourScript.ps1"
      • Conditions
        • Uncheck any conditions that may prevent task execution
      • Settings
        • Allow task to be run on demand
        • Run task as soon as possible after a scheduled start is missed
        • If the task fails, restart every 1 minute for 3 retries (or as desired)
    • To finish, press OK and enter the credentials of an administrator when prompted
  • Was this article helpful?