Skip to main content
Matrix42 Self-Service Help Center

iOS IV: Use S/MIME Signing and Encryption

Prerequisites

  • Supported Server Operating Systems
    • Certificate Authority is installed on Windows Server 2008 R2
    • Certificate Authority is installed on Windows Server 2012
    • Certificate Authority is installed on Windows Server 2016 
  • Certification Authority Server needs the following configured roles
    • Certification Authority
    • Certification Authority Web Enrollment 
  • Configured HTTPS Authentication for Certification Authority Web site (IIS Binding for Default Web Site) 
  • Certification Authority and Silverback Server are joined to the same Active Directory Domain
    • When using a Cloud Connector to connect to a Cloud Based Environment, then it is the Cloud Connector Object that needs to be Domain Joined
  • Service Account for publishing certificates  into Active Directory User Object 
  • Silverback Computer Object is added to the Silverback Mobile Device Manager and Silverback Enterprise Device Management group
  • An enrolled iOS device

Certificate Authority

  • Log into your Certification Authority server

Create Enrollment Agent Certificate Template 

You might created the Enrollment Agent Certificate Template already during the previous Guide

  • Open the Certification Authority MMC snap-in.
    • Choose from Server Manager > Tools > Certification Authority
    • Or run (Windows + R) MMC > Add/Remove Snap-In > Certification Authority > Add > Local Computer
  • Expand the Configuration Tree on the Right until the Certificate Templates section is visible
  • Right Click Certificate Templates
  • Click Manage
  • Right Click Enrollment Agent in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback Enrollment Agent
  • Enter as Template name: SilverbackEnrollmentAgent (will be filled automatically)
Request Handling
  • Now navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Proceed with Yes at prompt for wish to change the certificate purpose
    • Include symmetric algorithms allowed by the subject: Enabled
    • Allow private key to be exported: Enabled
    • Select Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Ensure the following values are configured:
    • Built from this Active Directory information: Enabled
    • Subject Name is set to Fully distinguished name
    • User principal name (UPN): Enabled
Security
  • Navigate to Security
  • Click Add
  • Enter in the "Enter the object names to select " the service account you want to use
  • Click Check Names
  • Select the service account that you want to use 
  • Click OK
  • Allow Read and Enroll Permissions
  • Click OK to finish Template Configuration

Create User Certificate Template

  • Right Click User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback User
  • Enter as Template name: SilverbackUser (will be filled automatically)
  • Uncheck Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature and encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements
  • Navigate to Issuance Requirements
  • Ensure that CA certificate manager approval is unchecked
Extensions
  • Navigate to Extensions
  • Select Application Policies
  • Click Edit
  • Select Encrypting File System
  • Click Remove
  • Click OK

Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) should be included

Security
  • Navigate to Security
  • Select Authenticated Users
  • Enable Read and Enroll Permissions
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Click on to finish Template Configuration

Create Signing Certificate Template

  • Right Click Exchange Signature Only in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be prompted to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback SMIME Signing
  • Enter as Template name: SilverbackSMIMESigning (will be filled automatically)
  • Enabled Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Signature
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements
  • Navigate to Issuance Requirements
  • Enable This number of authorized signatures and keep default value 1
  • Change Application policy to Certificate Request Agent
Security
  • Navigate to Security
  • Select Authenticated Users
  • Enable Read and Enroll Permissions
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Click on to finish Template Configuration

Create Encryption Certificate Template

  • Right Click Exchange User in the middle pane
  • Click Duplicate Template
    • When Certificate Authority is running on Windows Server 2008 R2 you will be promptet to select the Template version
    • Select Windows Server 2003 Enterprise
    • Click OK
General
  • Navigate to General
  • Enter as Template Display Name: Silverback SMIME Encryption
  • Enter as Template name: SilverbackSMIMEEncryption (will be filled automatically)
  • Enabled Publish certificate in Active Directory
Request Handling
  • Navigate to Request Handling
  • Make sure that the configuration will be the following:
    • Purpose: Encryption
    • Enabled Include symmetric algorithms allowed by the subject
    • Enabled Allow private key to be exported
    • Selected Enroll subject without requiring any user input
Subject Name
  • Navigate to Subject Name
  • Enable Supply in the request
  • Click OK to confirm
Issuance Requirements
  • Navigate to Issuance Requirements
  • Enable This number of authorized signatures and keep default value 1
  • Change Application policy to Certificate Request Agent
Security
  • Navigate to Security
  • Select Authenticated Users
  • Enable Read and Enroll Permissions
  • Click Add
  • Enter in the "Enter the object names to select": Silverback
  • Click Check Names
  • Select Silverback Enterprise Device Management
  • Click Ok
  • Enable Read and Enroll Permissions
  • Click on to finish Template Configuration

Issue Certificate Templates 

  • Navigate to Certification Authority window
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback Enrollment Agent
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback User
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback SMIME Signing
  • Click OK
  • Right Click Certificate Templates 
  • Select New
  • Click Certificate Template to Issue
  • Select Silverback SMIME Encryption
  • Click OK

Create Enrollment Agent Certificate Request

  • Login to your Silverback or Cloud Connector server as a Local Administrator (not Active Directory Domain Account)
  • Open Internet Explorer
  • Enter URL for the Certification Authority Web Enrollment web site 
  • Click Continue to this website
  • Login with your Service Account 

If you will not see a Login prompt you are probably logged in with a Active Directory Domain Account

  • Click Request a certificate
  • Click advanced certificate request
  • Click Create and submit a request to this CA
    • When Certificate Authority is running on Windows Server 2008 R2 you may not see this action
      • You will be redirected directly Submit a Certificate Request or Renewal Request Action
      • Open Compatibility View Settings on Internet Explorer
      • Click Add to add your domain (e.g. imagoverum.com) and Close the Window
      • Navigate back to Request a certificate step and try again (maybe refresh your browser)
  • After a click Create and submit a request to this CA you should receive a pop-up with Web Access Confirm 
    • If you don't see this and your CSP keeps loading,  open Internet options
    • Navigate to Security
    • Select Trusted Sites
    • Click Sites
    • Click Add (your Certification Authority should be filled automatically - e.g ca.imagoverum.com)
    • Click Close
    • Click OK
    • Refresh this page, you should see now the pop-op
  • Click Yes
  • Change Certificate Template to Silverback Enrollment Agent
  • Click Submit
  • Click Yes

Install Certificate

  • Click Install this certificate
  • Your new certificate should be successfully installed

Export Certificate from Current User

  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certmgr.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
    • Right Click the installed certificate
    • Click All Tasks
    • Click Export
    • Click Next
    • Click Yes, export the private key
    • Click Next
    • Uncheck Include all certificates in the certification path if possible
    • Click Next
    • Enable Password
      • Enter a Password
      • Confirm Password
    • Click Next
    • Click Browse
    • Choose your location and save it as a *.pfx file
    • Click Next
    • Click Finish
    • Click OK

Import Certificate to Local Computer

  • Login to your Silverback or Cloud Connector server as a Domain Administrator
  • Right click Windows Icon in taskbar
  • Click Run
  • Enter certlm.msc
  • Click OK or press enter
  • Expand Personal
  • Expand Certificates
  • Perform a right click in the right pane
  • Select All Tasks
  • Select Import
  • Click Next
  • Click Browse
  • Select your *.pfx file

Change Search to All Files (*.*)

  • Click Open
  • Click Next
  • Enter your created password
  • Enable Mark this key as exportable
  • Click Next
  • Ensure that Personal is selected
  • Click Next
  • Click Finish
  • Click OK

Add Permission

  • Right click the new imported enrollment agent certificate
  • Select All Tasks
  • Select Manage Private Keys
  • Click Add
  • Enter network
  • Click Check Names
  • Select Network Service
  • Click OK
  • Click OK
  • Ensure that only Read is allowed
    • Uncheck Full control
  • Click Apply
  • Click OK

Silverback

Add Certification Authority

  • Open your Silverback Management Console
  • Login as an Settings Administrator
  • Navigate to Certificates
  • Under Certificate Deployment enable Individual Client
  • Enter your Certificate Authority in the following format:
    • ca.imagoverum.com\domain-server-CA

Add Templates and Subject Names 

  • Under Templates add your previously issued User Certificate Template
    • e.g. SilverbackUser
  • Under S/MIME Settings add the following:
    • Encryption Template Name: SilverbackSMIMEEncryption
    • Encryption Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Encrypt
    • Signing Template Name: SilverbackSMIMESigning
    • Signing Certificate Subject Name: Use e.g. u_{firstname}.{lastname}_Signing
    • Agent Certificate: Select from the drop down list the previously created Enrollment Agent Certificate
  • Click Save
  • Confirm with OK 

From now on for every assigned Exchange ActiveSync Profile Silverback will generate a certificate

Restart IIS

  • Run PowerShell with elevated priviledges
  • Run the following command:
    • restart-service w3svc,silv*,epic*,mat*

Change User

  • Logout as Settings Administrator
  • Login as Administrator

Certificate Trusts

Create a new Certificate Trust Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. iOS Certificate Trusts
    • Enter as description e.g. Certificate Trusts for S/MIME (optional)
    • Enable Profile under Enabled Features
    • Enable your desired devices, e.g. iPhone or iPad
    • Click Save

Create Certificate Trust Profile

  • Navigate to Profile
    • Navigate to Exchange Certificate Trusts
    • Add all your required Root and Intermediate Certificates
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your enrolled devices
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to General
    • Navigate to Profiles & Device Management
    • Select Silverback MDM Profile
    • Select More Details
    • Check under Certificates if your Certificate Trust certificates are listed

Exchange Active Sync

Create a new Exchange ActiveSync Tag

  • Navigate to Tags
  • Click New Tag
    • Name it e.g. iOS Exchange ActiveSync 
    • Enter as description e.g. Exchange with certificate based authentication and S/MIME (optional)
    • Enable Profile under Enabled Features
    • Enable your desired device, e.g. iPhone or iPad
    • Click Save

Create Exchange ActiveSync Profile

  • Navigate to Profile
    • Navigate to Exchange ActiveSync
    • Click New Profile
    • Enter a Label Name: e.g. Imagoverum Exchange
    • Enter a Server Name: e.g. mail.imagoverum.com
    • Enable Certificate Distribution for signing certificates with the following settings: 
      • Enable S/MIME Signing and/or
      • Allow user to enable or disable S/MIME signing
    • Enable Certificate Distribution for encryption certificates with the following settings: 
      • Enable Enable S/MIME encryption by default and/or
      • Allow user to enable or disable S/MIME encryption
    • Configure Additional S/MIME Settings
    • Configure Additional Settings
    • Click Save
    • Click OK
  • Navigate to Definition
    • Click Associated Devices
    • Click Attach More Devices
    • Select your enrolled devices
    • Click Attach Selected Devices
    • Click OK
    • Click Close
    • Click Push to devices
    • Click OK

Check Device

  • On your device open Settings
    • Navigate to General
    • Navigate to Profiles & Device Management
    • Select Silverback MDM Profile
    • Select More Details
      • You should now see two new certificates
        • e.g. u_Tim.Tober_Encrypt
        • e.g. u_Tim.Tober_Sign
    • Tab on the top Profile
    • Navigate to Accounts
    • Your previously created Exchange Account should be listed
    • Tab on the Account
    • Check your configured S/MIME Settings
  • Open Mail 
    • You should be logged in automatically
    • You should receive now emails

Check Certification Authority

  • Go back to your Certification Authority
    • Navigate to Issued Certificates
    • Right click and click refresh
    • First, you should see now a newly issued certificate with the requester name Domain\Silverback$  with the SilverbackUser Template
    • Second, you should see now a newly issued certificate with the requester name (e.g. tim.tober)  with the Silverback SMIME Encryption Template
    • Third, you should see now a newly issued certificate with the requester name (e.g. tim.tober)  with the Silverback SMIME Signing Template

Check Active Directory

  • Open Active Directory User and Computers
  • Open your corresponding User Object
  • Navigate to Published Certificates
    • Here you should see 2 new certificates
  • As an alternative navigate to Attribute Editor
    • Scroll down to userCertificate
    • Click Edit
    • Here you should see new certificates in an encrypted format

Swap Certificates and send mails

  • On your first device open Mail
    • Create a new Message
    • Enter the Email address of your S/MIME partner
    • Ensure that the Mail will be unencrypted (Lock Symbol)
    • Enter as Subject e.g. Signing Certificate Exchange
    • Enter something as a Text
    • Send the email to your S/MIME Partner
  • On your S/MIME Partner Device 
    • Open the sent mail
    • Tab on the Senders Name 
    • Select View Encryption Certificate
      • Click Install
      • Click Done 
    • Write a new mail to your S/MIME partner
      • Enter the Email address of your S/MIME partner
      • Ensure that the Mail will be unencrypted (Lock Symbol)
      • Enter as Subject e.g. Signing Certificate Exchange
      • Enter something as a Text
      • Send the email to your S/MIME Partner
  • On first S/MIME Partner Device 
    • Open the sent mail
    • Tab on the Senders Name 
    • Select View Encryption Certificate
      • Click Install
      • Click Done 
    • Write a new mail to your S/MIME partner
      • Enter the Email address of your S/MIME partner
      • Ensure that the Mail will be encrypted this time (Lock Symbol)
      • Enter as Subject e.g. Encrypted Message
      • Enter as Text e.g. This is an encrypted message
      • Send the email to your S/MIME Partner
  • On your S/MIME Partner Device 
    • Open the new message
    • You should be able to read the encrypted message
    • Crosscheck on any other available device, there you should not be able to read the message.
  • Was this article helpful?