Email certificates
Emails which are sent to or received by ConSol CM can be encrypted using standard S/MIME encryption. There are two kinds of certificates:
- Server certificates: Decrypt incoming emails
- Client certificates: Encrypt outgoing emails
Server certificates can be imported from PKCS #12 files with the extension .p12 or .pfx. They are password-protected and contain both the public key and the private key of the email address which receives emails in ConSol CM. You need to import server certificates for all email addresses which belong to accounts defined in the Accounts tab of the Email configuration page (see Email configuration).
Client certificates can be imported from X.509 files (Base64-encoded) with the extension .cer, .crt, .der or .pem. They contain the public key of the email addresses to which emails are sent from ConSol CM, i.e. the email addresses of the contacts. Client certificates can be either imported manually on the Email certificates page or retrieved on-the-fly from LDAP, see Configuring LDAP for retrieving client certificates.
Email encryption is configured using system properties and email certificates, see Configuring email encryption.
Available information for email certificates
The following information is available for both client and server certificates:
- Serial number: Serial number of the certificate
- Valid from: Start date of the validity of the certificate
- Valid to: End date of the validity of the certificate
- Email address: Address of the email account
Basic tasks
Configuring email encryption
Please proceed as follows to set up email encryption:
- Set the system property
cmas-core-server,mail.encryptionto "true". This enables email encryption for the entire system. - Set the page customization attribute
mailEncryptionAvailablein the typemailTemplateto "true", if the users should be allowed to decide whether the email should be encrypted or not when writing an email. - Import server certificates to decrypt ingoing emails in the Server tab. Click the Import certificate button and select the certificate from the file system. You need to enter the password of the certificate to import it.
- Import client certificates to encrypt outgoing emails in the Client tab. Click the Import certificate button and select the certificate from the file system.
The certificates are validated before the import. If there are any incompatibilities, the certificate is not imported.
Sending encrypted emails
If email encryption is configured, outgoing emails are encrypted by default. The checkbox Send encrypted is displayed above the email editor in the Web Client and is selected by default. The user can deselect it if the email should not be encrypted. If an email sent from a script should not be encrypted, you can use the method disableEncryption() from the class Mail to send an unencrypted email.
Advanced tasks
Configuring LDAP for retrieving client certificates
If the client certificates are stored in an LDAP repository in the correct format, they can be retrieved automatically when sending an email to the respective address.
The following system properties must be set:
- cmas-core-server, ldap.certificate.basedn
- cmas-core-server, ldap.certificate.searchattr
- cmas-core-server, ldap.certificate.content.attribute
If LDAP is configured, the certificates from LDAP are used if no valid client certificate has been imported in the Client tab of the Email certificates page. If no valid certificate is found in LDAP either, the email is sent unencrypted.
The email address must be specified in the attribute SubjectDN (E= or EMAILADDRESS=) or in the X509v3 Subject Alternative Name element from the Extensions section of the certificate.