Certificates and Certificate Authorities

Certificates

Certificates used by the appliance are public key certificates known as X.509 certificates. These encryption keys are associated with a specific identity or organization, and they allow the identity of the certificate holder to be verified. Identity verification is an important component of ensuring secure communication. Without it, it is possible for even encrypted communication to be redirected or compromised by an untrustworthy third party.

To help prevent this, the Email Appliance can:
  • Use certificates signed by an agency known as a trusted certificate authority (CA) to present a verifiable identity to other hosts. This helps ensure secure access to the Email Appliance's Administrative User Interface and End User Web Quarantine, and enables hosts that support transport layer security (TLS) email encryption to confirm the identity of the Email Appliance when exchanging encrypted email with it.
  • Be configured to trust additional certificate authorities, by obtaining identifying certificates associated with them. This allows you to expand the range of identities that you would like the Email Appliance to communicate with.
    Note
    The Email Appliance uses the certificates associated with CA's only to verify the identify of each CA. While similar to the certificates presented by the Email Appliance to other hosts, they are managed separately, and you should distinguish between them.
The Email Appliance can have up to four certificates at one time, including the default self-signed certificate (see below). Different certificates can be used for different roles, including the Administrative User Interface, the End User Web Quarantine, and TLS email encryption.
Certificates include information such as the hostname they are to be used with, a digital signature from a certificate authority, a start date, and an expiry date. To be considered valid, a certificate must:
  • not yet be expired.
  • have a digital signature from a trusted certificate authority.
  • have a hostname associated with it that matches the hostname of the machine that is using the certificate.
    Note
    If your Email Appliance has several hostnames associated with it, it is important that you ensure the hostname presented to other machines matches your certificate(s) exactly.

By default, the Email Appliance uses what is known as a self-signed certificate. A self-signed certificate is a certificate that has been signed by the creator of a certificate, rather than by a third-party CA. This can be useful for providing encryption functionality when verification of the host's identity by an external CA is not needed. In this case, the host acts as its own CA. This can be the case when the Email Appliance needs to verify its identity to a limited set of hosts, such as communication within a company, or with business partners.

About Certificate Authorities (CA's)

Certificate authorities are trusted third parties. They can be root authorities (i.e. explicitly trusted). They can have identities that can be verified by checking with other trusted certificate authorities (such as the root authorities). Or you can choose to designate a CA as trusted (such as an authority within your organization).

The list of trusted certificate authorities included with the Email Appliance is not exhaustive. For example, a new CA may have begun operations recently, but is still considered a trusted certificate authority. This does not mean the Email Appliance will be unable to use unknown CA's, only that you will need to add them to the Email Appliance's list of trusted CA's.

The Email Appliance's certificate authorities can be managed in the Trusted Certificate Authorities section of the Configuration > Policy > Certificates page.

Note
Sophos maintains a list of trusted certificate authorities for the Email Appliance . You can view, but can not add or delete CA's from this list . You can manage additional CA's from the Trusted Certificate Authorities section of the Configuration > Policy > Certificates page.

Example: Exchanging Encrypted Email With A Business Partner

You and a business partner want to exchange encrypted email, and it is important to you that you can always verify the identity of their mail relays. Since the business partner rarely uses encrypted email except when exchanging email with you, they do not wish to purchase a certificate from a commercial vendor. They also would like you to have the ability send encrypted email to other mail relays they plan to add in the future. By adding your business partner as a certificate authority, you will be able to verify the identity of any new mail relay they decide to deploy, provided they have signed the new mail relay's certificate.

To add your business partner as a trusted certificate authority:

  1. Obtain a copy of your business partner's certificate. This must be in Privacy-Enhanced Mail (PEM) format.
  2. In the Trusted Certificate Authorities section of the Configuration > System > Certificates page, click on Configure. The Trusted Certificate Authorities dialog box is displayed.
  3. Click on the Locally Managed tab. A list of trusted certificate authorities is displayed.
  4. Click Add. The Add Certificate Authorities dialog box is displayed.
  5. In the Description text box, enter a descriptive name for the CA (your business partner in this example) .
  6. Either paste the CA certificate in the Paste Certificate text box, or select Import Certificate to import the CA certificate from a file.
  7. Click OK.

Your business partner is now listed as a Trusted Certificate Authority.

Example: Re-using An Existing Certificate

Your organization has already purchased a certificate from a vendor for a previous mail relay, and now wishes to re-use it for the Email Appliance.

  1. On the Configuration > System > Certificates page, click Add. The Add certificate dialog is displayed.
  2. Select Upload existing certificate and private key and click Next. The Upload certificate dialog box is displayed.
  3. In the Description text box, enter a descriptive name for the certificate.
  4. Select Paste to copy and paste the certificate in the text box, or, select Import Certificate to import the certificate from a file.
  5. Click Next. The certificate is now displayed in the list of available certificates.
  6. To use the new certificate for email encryption, navigate to the Trusted Certificate Authorities section of the System:Certificates page, and select the Encrypt Email role for the new certificate.

Your Email Appliance will now offer the new certificate when another mail relay requests to send encrypted email to the Email Appliance.