Mail Gateway Integration XI: Enterprise Certificate Authentication
Requirements
- Accomplished Mail Gateway Integration Parts I - VI
Create Enterprise Certificates
The first step is to create or use a key pair with a private and public key. The certificate with the private key will be distributed via Silverback to your managed devices and the certificate with the public key must be stored on the server under the Trusted Root Certification Authorities. You can either have a user certificate issued by your CA or use OpenSSL or, as shown in the example, PowerShell to create a self-signed certificate pair. Ensure that the certificate have the Client Authentication key usage. Adjust the following values and run the PowerShell Script on your Mail Gateway server:
- $certSubject: Change the value with to a desired certificate subject text
- $certSAN: change the UPN and Email attributes to values, which will be recognizable in your environment. The value is not critical, but it should be clear to users looking at the certificate that its purpose is for the Mail Gateway
- $password: Change YourPassword to your custom password
Make sure that the folder C:\Certificates has not yet been created on your Mail Gateway server before starting, otherwise the script may not work properly.
# Parameters $certSubject = "CN=imagoverum.com" $certSAN = @("upn=eas@imagoverum.com", "email=eas@imagoverum.com") $certDirectory = "C:\Certificates" $pfxPath = "C:\Certificates\Certificate.pfx" $cerPath = "C:\Certificates\Certificate.cer" $password = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText # Create the directory if it doesn't exist if (-not (Test-Path -Path $certDirectory)) { New-Item -Path $certDirectory -ItemType Directory Write-Output "Directory created: $certDirectory" } else { Write-Output "Directory already exists: $certDirectory" } # Create the self-signed certificate with the specified parameters $cert = New-SelfSignedCertificate ` -Subject $certSubject ` -DnsName $certSAN ` -CertStoreLocation "Cert:\CurrentUser\My" ` -KeySpec KeyExchange ` -KeyLength 2048 ` -NotAfter (Get-Date).AddYears(2) ` # Export the certificate with the private key to a PFX file Export-PfxCertificate ` -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" ` -FilePath $pfxPath ` -Password $password # Export the certificate with the public key to a CER file Export-Certificate ` -Cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" ` -FilePath $cerPath
Review Certificates
- Open the File Explorer and navigate to C:\Certificates
- You should see now 2 files
- Certificate.pfx
- Certificate.cer
Import Public Key
- Right Click the certificate.cer file
- Select Install Certificate
- Change Store Location to Local Machine
- Click Next
- Select Place all certificates in the following store
- Click Browse
- Select Trusted Root Certification Authorities
- Click OK
- Click Next
- Click Finish
- Confirm with yes
Change Registry Settings
- Open Any Text Edit, e.g. Notepad++
- Import the following template
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL] "ClientAuthTrustMode"=dword:00000002 "SendTrustedIssuerList"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443] "DefaultSslCertCheckMode"=dword:0000000
- Save the file as security.reg
- Acknowledge the overview of changes below
- Take a backup of the two registry key by exporting them
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443
- Execute the file after saving to import these values to your registry
- Reboot your Server and proceed with SSL Settings
DWORD 32-bit | Description | Options | Setting | Impact |
---|---|---|---|---|
ClientAuthTrustMode | Determines how the server should handle client certificate trust during mutual authentication (when the server requires a client certificate). |
|
2 | With ClientAuthTrustMode set to 2, the server requires client certificates and validates them against the list of trusted root and intermediate CAs in the server's certificate store |
SendTrustedIssuerList | Determines whether the server sends its list of trusted issuers to clients during the SSL/TLS handshake. |
|
0 | With SendTrustedIssuerList set to 0, the server does not send its list of trusted issuers to clients. This can be a security measure to prevent clients from obtaining the list of trusted certificate authorities. If this setting were 1, the client would receive information about the CAs that the server trusts, which could potentially assist the client in selecting a suitable client certificate. |
DefaultSslCertCheckMode | Controls the default certificate check mode for SSL/TLS bindings on the specified port (in this case, port 443). |
|
0 | Impact: With DefaultSslCertCheckMode set to 0, the server performs basic validation of SSL/TLS certificates. This includes checking if the certificate is expired, not yet valid, and properly signed by a trusted CA. Setting it to 1 would enable more stringent checks, which might include more comprehensive validation criteria, such as checking certificate revocation status. |
SSL Settings
- Open Internet Information Services (IIS) Manager
- Expand your Server
- Expand Sites
- Click on Default Web Site
- Double Click on SSL Settings
- Enable Require SSL
- Change Client certificate to Require
- Click Apply
- Restart IIS
Additional Steps for Windows Server 2022
- Open Internet Information Services (IIS) Manager
- Expand your Server
- Expand Sites
- Right Click Default Web Site
- Click Edit Bindings
- Double-click the https entry
- Activate the Disable TLS 1.3 over TCP checkbox
- Click OK
- Click Close
- Restart IIS
Check Connection
- Try to open the following URL from a workstation or from a mobile device
- https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
- You should be prompted for a certificate
- Enroll a device and assign an Tag which will distribute a certificate to the device
- e.g. with the Certificate Profile on Android Enterprise
- or try to install your *.pfx manually on a device
- On the mobile device, try to open e.g.
- https://smg.imagoverum.com/Microsoft-Server-ActiveSync/HealthCheck.htm
- You should be prompted for a certificate
- Select the user certificate
- You should now see the same results as described in Mail Gateway Integration VI: Connection Check
Server Hardening
We have now set up an IIS reverse proxy with Microsoft Board Tools and activated and checked certificate-based authentication. Now it is time to consider another important topic, which we will highlight in the following chapters.
Remove Trusted Root Certificates
At this time, the default setting and logic is to accept certificates for authentication whose root and intermediate certificates are located on the Windows server. As you likely only want your own certificate, which is distributed via Silverback, to be trusted, you only need to provide the necessary certificate and remove those that are not required. To address this, we have provided a possible template for keeping one certificate as an example in the following Powershell script. Adjust the Template, and ensure to run this script as an administrator, as removing Trusted Root Certificates requires administrative privileges. Test the script in a safe environment before running it in a production environment. Overall, the script contains the following steps:
- Define the thumbprints: This script starts by defining an array
$thumbprintsToKeep
containing the thumbprints of the certificates you want to keep. Replace"YOUR_FIRST_CERT_THUMBPRINT"
with the actual thumbprint of your certificate. - Open the certificate store: The script opens the Trusted Root Certification Authorities store in read-write mode.
- Iterate over the certificate: The script loops through all certificates in the Trusted Root store.
- Remove certificate: It removes each certificate whose thumbprint is not in the
$thumbprintsToKeep
array. - Close the certificate store: Finally, the script closes the certificate store.
# Define the thumbprints of the certificates to keep $thumbprintsToKeep = @( "YOUR_FIRST_CERT_THUMBPRINT" # Add more thumbprints as needed ) # Open the Trusted Root Certification Authorities store $rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store "Root", "LocalMachine" $rootStore.Open("ReadWrite") $certificates = $rootStore.Certificates foreach ($cert in $certificates) { if ($thumbprintsToKeep -notcontains $cert.Thumbprint) { # Remove the certificate if its thumbprint is not in the list of thumbprints to keep Write-Output "Removing certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)" $rootStore.Remove($cert) } else { Write-Output "Keeping certificate: $($cert.Subject) with thumbprint $($cert.Thumbprint)" } } # Close the certificate store $rootStore.Close()
Remain only required certificates
To prevent the list of certificates in the Trusted Root Certification Authorities store from being automatically refreshed, for instance in response to a Windows update, you have a few options at your disposal:
- It is possible to deactivate the automatic updates of the list of trusted root certificates. Open gpedit.msc and select Administrative Templates > System > Internet Communication Management, and then press Internet Communication settings. Double-click Turn off Automatic Root Certificates Update, click Disabled, and then click OK.
- As an alternative, you may choose to run the PowerShell script you have modified at a designated interval using the Task Scheduler board tool. The following configuration example demonstrates how to run the PowerShell script on a Windows Server 2019 with administrative privileges configured every 15 minutes.
- Type taskschd.msc or Task Scheduler in the search bar and press Enter
- Click on Create Task in the right Actions pane
- Now configure the following settings in the respective tabs of the Task Scheduler:
- General
- Name: Your Task Name
- Description: Your Task Description
- Run whether user is logged on or not
- Run with highest privileges
- Configure for: Windows Server 2019
- Triggers
- Begin the task: On a schedule
- Settings: Daily
- Start: Select start date and time
- Advanced settings: Repeat task every 15 minutes, for a duration of Indefinitely
- Actions
- Action: Start a program
- Program/script: powershell.exe
- e.g. C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- Add arguments: -File "C:\Path\To\YourScript.ps1"
- Conditions
- Uncheck any conditions that may prevent task execution
- Settings
- Allow task to be run on demand
- Run task as soon as possible after a scheduled start is missed
- If the task fails, restart every 1 minute for 3 retries (or as desired)
- General
- To finish, press OK and enter the credentials of an administrator when prompted