Email certificates

Introduction to email certificates in ConSol CM

Emails which are sent to ConSol CM and received by ConSol CM can be encrypted using standard S/MIME encryption. Server certificates are used to decrypt incoming emails. Client certificates are used to encrypt outgoing emails.

Concepts, terms and definitions

Concept

Other terms

Definition

client certificate

 

Certificate used to encrypt emails

server certificate

 

Certificate used to decrypt emails

mail server

 

Software to transfer email messages between clients, not part of ConSol CM.

Purpose and usage

Server certificates are used to decrypt incoming emails. They can be imported from PKCS #12 files with the extension .p12 or .pfx. They are password-protected and contain both the public key and the private key of the email address which receives emails in ConSol CM. You need to import server certificates for all email addresses which belong to accounts defined in the Accounts tab of the Email configuration page (see Email configuration).

Client certificates are used to encrypt outgoing emails. They can be imported from X.509 files (Base64-encoded) with the extension .cer, .crt, .der or .pem. They contain the public key of the email addresses to which emails are sent from ConSol CM, i.e. the email addresses of the contacts. Client certificates can be either imported manually on the Email certificates page or retrieved on-the-fly from LDAP, see Configuring LDAP for retrieving client certificates.

Email encryption is configured using system properties and email certificates, see Configuring email encryption.

Available information for email certificates

The following information is available for both client and server certificates:

Basic tasks

Configuring email encryption

Please proceed as follows to set up email encryption:

  1. Set the system property cmas-core-server, mail.encryption to true. This enables email encryption for the entire system.

  2. Set the page customization attribute mailEncryptionAvailable in the type mailTemplate to true, if the users should be allowed to decide whether the email should be encrypted or not when writing an email.

  3. Import server certificates to decrypt ingoing emails in the Server tab. Click the Import certificate button and select the certificate from the file system. You need to enter the password of the certificate to import it.

  4. Import client certificates to encrypt outgoing emails in the Client tab. Click the Import certificate button and select the certificate from the file system.

The certificates are validated before the import. If there are any incompatibilities, the certificate is not imported.

If Java 8 is used, Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files has to be installed on the ConSol CM server and on the computer where the Web Admin Suite is used.

Sending encrypted emails

If email encryption is configured, outgoing emails are encrypted by default. The checkbox Send encrypted is displayed above the email editor in the Web Client and is selected by default. The user can deselect it if the email should not be encrypted. If an email sent from a script should not be encrypted, you can use the method disableEncryption() from the class Mail to send an unencrypted email.

Advanced tasks

Configuring LDAP for retrieving client certificates

If the client certificates are stored in an LDAP repository in the correct format, they can be retrieved automatically when sending an email to the respective address.

The following system properties must be set:

If LDAP is configured, the certificates from LDAP are used if no valid client certificate has been imported in the Client tab of the Email certificates page. If no valid certificate is found in LDAP either, the email is sent unencrypted.

The email address must be specified in the attribute SubjectDN (E= or EMAILADDRESS=) or in the X509v3 Subject Alternative Name element from the Extensions section of the certificate.