Private Certificate Authority

With your own certificate authority (CA), certificates for your e-mail aliases can be created automatically by the appliance.
The advantage of this is that you save costs for the purchase of certificates as well as for administration.

The disadvantage is that the mail recipient must have imported your root certificate once so that your certificates can be recognised as valid.
Another disadvantage is that certificates created in this way cannot be checked via CRL or OCSP.

To use your own private certificate authority (CA), the following steps are necessary :

  1. Right-click on Private Certificate Authorities in the MailSealer area and select "Create".
  2. You can now
    • Create a new CA certificate, enter the name of the CA, select the option "Generate new CA certificate", assign a valid x509 name (e.g. o=reddoxx) and set the validity period of the CA certificate to be created (default is 10 years).
    • Upload an existing CA certificate, enter the name of the CA, select the option "Upload an existing certificate" and enter the certificate with the corresponding password.
  3. Confirm with "Create Certificate Authority", the new CA will be created and listed in the overview of Certificate Authorities by its name.
  4. You have to set a CA as active to use it (right click => set active)
    The activated authority will then automatically create certificates if they are required by a corresponding MailSealer policy.
    Only one authority can be active at a time
  5. Change to the "MailSealer Settings" and make sure that S/MIME is activated, confirm with "Apply settings".
  6. Go to the MailSealer "Policies" section and define at least one outgoing MailSealer policy.
  7. To make the generated root CA available to other communication partners, select the corresponding CA and click on "Export CA Certificate".
    IMPORTANT: do not export the root CA with the private key (for the query "Do you want to include the private key" select no if you provide the root CA to communication partners)
    • You can use multiple certification authorities, but only one can be active at a time.
    • If no longer needed, certification authorities can be removed via right-click => Delete.