Skip to main content
Matrix42 Self-Service Help Center

Mail Gateway Integration XI: Enterprise Certificate Authentication

Self Signed Certificate

Use OpenSSL or suitable certificate generation tool to create a client certificate. The certificate must have the “Client Authentication” key usage. From a Windows Desktop or Server in an environment with a Microsoft Certificate Authority, the “certreq” tool can be used with the following steps.

Create .inf File

  • Open Any Text Edit, e.g. Notepad++
  • Import the Following Template
[NewRequest]
Subject = "CN=imagoverum.com"
Exportable = TRUE
RequestType = CMC
KeyLength = 2048
Provider Type = 24
[RequestAttributes]
CertificateTemplate = "User"
SAN="upn=eas@imagoverum.com&email=eas@imagoverum.com"
  • Adjust the following values 
    • Subject: Change the value with to a  desired certificate subject text
    • CertificateTemplate:  Enter a template name, which your Certificate Authority will recognize as a User Certificate template.
    • SAN: change the UPN and Email attributes to values, which will be recognizable in your environment. The value is not critical, but it should be clear to users looking at the certificate that its purpose is for the Mail Gateway
  • After changing the save the file as certreq.inf 
  • Save the file under e.g. C:\temp\

Request a Certificate

  • Open Command Prompt as an Administrator
  • Execute the following command
certreq –new C:\temp\certreq.inf C:\temp\certreq.req
  • Under C:\temp a new file should have been created with the name certreq.req
  • Adjust now the following command with your Certification Authority
certreq –submit –config “ca.imagoverum.com/Imagoverum-CA” C:\temp\certreq.req C:\temp\certificate.cer
  • Under C:\temp a new file should have been created with the name certificate.cer

Import Certificate

If you did all these steps not on the Mail Gateway server, you need to copy the certificate.cer file to the Mail Gateway Server before processing with the next steps.

  • Navigate to your Mail Gateway Server
  • Right Click the certificate.cer file
  • Select Install Certificate
  • Change Store Location to Local Machine
  • Click Next
  • Select Place all certificates in the following store
  • Click Browse
  • Select Trusted Root Certification Authorities
  • Click OK
  • Click Next
  • Click Finish
  • Confirm with yes

Change Registry Settings

It is recommended to backup the registry before making any modification to your registry.

  • Open Any Text Edit, e.g. Notepad++
  • Import the Following Template
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"ClientAuthTrustMode"=dword:00000002
"SendTrustedIssuerList"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443]
"DefaultSslCertCheckMode"=dword:0000000
  • Save the file as security.reg
  • Execute the file after saving to import these values to your registry

Additional Steps for Windows Server 2022 

  • Open Internet Information Services (IIS) Manager
  • Expand your Server
  • Expand Sites
  • Right Click Default Web Site
  • Click Edit Bindings
  • Double-click the https entry
  • Activate the Disable TLS 1.3 over TCP checkbox 
  • Click OK
  • Click Close
  • Restart IIS
  • Was this article helpful?