Mail Gateway Integration XI: Enterprise Certificate Authentication

Requirements

Accomplished Mail Gateway Integration Parts I - VI

Create Enterprise Certificates

The first step is to create or use a key pair with a private and public key. The certificate with the private key will be distributed via Silverback to your managed devices and the certificate with the public key must be stored on the server under the Trusted Root Certification Authorities. You can either have a user certificate issued by your CA or use OpenSSL or, as shown in the example, PowerShell to create a self-signed certificate pair. Ensure that the certificate have the Client Authentication key usage. Adjust the following values and run the PowerShell Script on your Mail Gateway server:

$certSubject: Change the value with to a desired certificate subject text
$certSAN: change the UPN and Email attributes to values, which will be recognizable in your environment. The value is not critical, but it should be clear to users looking at the certificate that its purpose is for the Mail Gateway
$password: Change YourPassword to your custom password

Make sure that the folder C:\Certificates has not yet been created on your Mail Gateway server before starting, otherwise the script may not work properly.

# Parameters
$certSubject = "CN=imagoverum.com"
$certSAN = @("upn=eas@imagoverum.com", "email=eas@imagoverum.com")
$certDirectory = "C:\Certificates"
$pfxPath = "C:\Certificates\Certificate.pfx"
$cerPath = "C:\Certificates\Certificate.cer"
$password = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText

# Create the directory if it doesn't exist
if (-not (Test-Path -Path $certDirectory)) {
    New-Item -Path $certDirectory -ItemType Directory
    Write-Output "Directory created: $certDirectory"
} else {
    Write-Output "Directory already exists: $certDirectory"
}

# Create the self-signed certificate with the specified parameters
$cert = New-SelfSignedCertificate `
    -Subject $certSubject `
    -DnsName $certSAN `
    -CertStoreLocation "Cert:\CurrentUser\My" `
    -KeySpec KeyExchange `
    -KeyLength 2048 `
    -NotAfter (Get-Date).AddYears(2) `

# Export the certificate with the private key to a PFX file
Export-PfxCertificate `
    -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" `
    -FilePath $pfxPath `
    -Password $password

# Export the certificate with the public key to a CER file
Export-Certificate `
    -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" `
    -FilePath $cerPath

Review Certificates

Open the File Explorer and navigate to C:\Certificates
You should see now 2 files
- Certificate.pfx
- Certificate.cer

Import Public Key

Right Click the certificate.cer file
Select Install Certificate
Change Store Location to Local Machine
Click Next
Select Place all certificates in the following store
Click Browse
Select Trusted Root Certification Authorities
Click OK
Click Next
Click Finish
Confirm with yes

Change Registry Settings

Open Any Text Edit, e.g. Notepad++
Import the following template

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"ClientAuthTrustMode"=dword:00000002
"SendTrustedIssuerList"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
"DefaultSslCertCheckMode"=dword:0000000

Save the file as security.reg
Acknowledge the overview of changes below
Take a backup of the two registry key by exporting them
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443
Execute the file after saving to import these values to your registry
Reboot your Server and proceed with SSL Settings

DWORD 32-bit	Description	Options	Setting	Impact
ClientAuthTrustMode	Determines how the server should handle client certificate trust during mutual authentication (when the server requires a client certificate).	Value 0: Do not require client certificates. Value 1: Require client certificates and trust all certificates presented by clients. Value 2: Require client certificates but use certificate trust based on the root and intermediate CA certificates trusted by the server.	2	With ClientAuthTrustMode set to 2, the server requires client certificates and validates them against the list of trusted root and intermediate CAs in the server's certificate store
SendTrustedIssuerList	Determines whether the server sends its list of trusted issuers to clients during the SSL/TLS handshake.	Value 0: Do not send the list of trusted issuers. Value 1: Send the list of trusted issuers to clients.	0	With SendTrustedIssuerList set to 0, the server does not send its list of trusted issuers to clients. This can be a security measure to prevent clients from obtaining the list of trusted certificate authorities. If this setting were 1, the client would receive information about the CAs that the server trusts, which could potentially assist the client in selecting a suitable client certificate.
DefaultSslCertCheckMode	Controls the default certificate check mode for SSL/TLS bindings on the specified port (in this case, port 443).	Value 0: Perform basic certificate validation. Value 1: Perform extended certificate validation, including additional checks.	0	Impact: With DefaultSslCertCheckMode set to 0, the server performs basic validation of SSL/TLS certificates. This includes checking if the certificate is expired, not yet valid, and properly signed by a trusted CA. Setting it to 1 would enable more stringent checks, which might include more comprehensive validation criteria, such as checking certificate revocation status.

SSL Settings

Open Internet Information Services (IIS) Manager
Expand your Server
Expand Sites
Click on Default Web Site
Double Click on SSL Settings
Enable Require SSL
Change Client certificate to Require
Click Apply
Restart IIS

Additional Steps for Windows Server 2022

Open Internet Information Services (IIS) Manager
Expand your Server
Expand Sites
Right Click Default Web Site
Click Edit Bindings
Double-click the https entry
Activate the Disable TLS 1.3 over TCP checkbox
Click OK
Click Close
Restart IIS

Check Connection

Try to open the following URL from a workstation or from a mobile device
- https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
You should be prompted for a certificate
Enroll a device and assign an Tag which will distribute a certificate to the device
- e.g. with the Certificate Profile on Android Enterprise
- or try to install your *.pfx manually on a device
On the mobile device, try to open e.g.
- https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
You should be prompted for a certificate
Select the user certificate
You should now see the same results as described in Mail Gateway Integration VI: Connection Check

Server Hardening

We have now set up an IIS reverse proxy with Microsoft Board Tools and activated and checked certificate-based authentication. Now it is time to consider another important topic, which we will highlight in the following chapters.

Remove Trusted Root Certificates

At this time, the default setting and logic is to accept certificates for authentication whose root and intermediate certificates are located on the Windows server. As you likely only want your own certificate, which is distributed via Silverback, to be trusted, you only need to provide the necessary certificate and remove those that are not required. To address this, we have provided a possible template for keeping one certificate as an example in the following Powershell script. Adjust the Template, and ensure to run this script as an administrator, as removing Trusted Root Certificates requires administrative privileges. Test the script in a safe environment before running it in a production environment. Overall, the script contains the following steps:

Define the thumbprints: This script starts by defining an array $thumbprintsToKeep containing the thumbprints of the certificates you want to keep. Replace "YOUR_FIRST_CERT_THUMBPRINT" with the actual thumbprint of your certificate.
Open the certificate store: The script opens the Trusted Root Certification Authorities store in read-write mode.
Iterate over the certificate: The script loops through all certificates in the Trusted Root store.
Remove certificate: It removes each certificate whose thumbprint is not in the $thumbprintsToKeep array.
Close the certificate store: Finally, the script closes the certificate store.

# Define the thumbprints of the certificates to keep
$thumbprintsToKeep = @(
    "YOUR_FIRST_CERT_THUMBPRINT"
    # Add more thumbprints as needed
)

# Open the Trusted Root Certification Authorities store
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "LocalMachine"
$rootStore.Open("ReadWrite")
$certificates = $rootStore.Certificates

foreach ($cert in $certificates) {
    if ($thumbprintsToKeep -notcontains $cert.Thumbprint) {
        # Remove the certificate if its thumbprint is not in the list of thumbprints to keep
        Write-Output "Removing certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)"
        $rootStore.Remove($cert)
    } else {
        Write-Output "Keeping certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)"
    }
}

# Close the certificate store
$rootStore.Close()

Remain only required certificates

To prevent the list of certificates in the Trusted Root Certification Authorities store from being automatically refreshed, for instance in response to a Windows update, you have a few options at your disposal:

It is possible to deactivate the automatic updates of the list of trusted root certificates. Open gpedit.msc and select Administrative Templates > System > Internet Communication Management, and then press Internet Communication settings. Double-click Turn off Automatic Root Certificates Update, click Disabled, and then click OK.
As an alternative, you may choose to run the PowerShell script you have modified at a designated interval using the Task Scheduler board tool. The following configuration example demonstrates how to run the PowerShell script on a Windows Server 2019 with administrative privileges configured every 15 minutes.
- Type taskschd.msc or Task Scheduler in the search bar and press Enter
- Click on Create Task in the right Actions pane
- Now configure the following settings in the respective tabs of the Task Scheduler:
  - General
    - Name: Your Task Name
    - Description: Your Task Description
    - Run whether user is logged on or not
    - Run with highest privileges
    - Configure for: Windows Server 2019
  - Triggers
    - Begin the task: On a schedule
    - Settings: Daily
    - Start: Select start date and time
    - Advanced settings: Repeat task every 15 minutes, for a duration of Indefinitely
  - Actions
    - Action: Start a program
    - Program/script: powershell.exe
      - e.g. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    - Add arguments: -File "C:\Path\To\YourScript.ps1"
  - Conditions
    - Uncheck any conditions that may prevent task execution
  - Settings
    - Allow task to be run on demand
    - Run task as soon as possible after a scheduled start is missed
    - If the task fails, restart every 1 minute for 3 retries (or as desired)
- To finish, press OK and enter the credentials of an administrator when prompted