CommuniGate Pro
Version 6.1
SysAdmin
 
 
PKI

Public Key Infrastructure

Regular ("classical") cryptography methods use data blocks called "secret keys". Information encrypted using some "secret key" can be decrypted by anyone who knows the encryption method and posses the same "secret key". This type of cryptography is called symmetric cryptography.

An alternative cryptography method is based on key pairs - a "private key" and a "public key". These keys must be generated together using special algorithms. Any information encrypted with the "private key" can be decrypted by anyone who knows the matching "public key", and any information encrypted with the "public key" can be decrypted using the matching "private key".
The Public Key Infrastructure (PKI) is the technology based on this asymmetric cryptography.


PKI Terminology

Private Key
A block of data (a large binary number) generated using one of the PKI algorithms. Each party taking part in secure communications should keep its Private Key securely. This key should never be transferred between communication parties.
Public Key
A block of data (a large binary number) generated together with the Private Key. Each party taking part in secure communications can and should distribute its Public key openly. It is assumed that Public Key can be learned by anyone, including hostile entities. Public Keys are usually distributed in the form of Certificates.
Data Digest
A relatively small block of data calculated by applying a special digest function to the original (usually larger) data block.
Data Signature
A Digest of the Data block encrypted using the Private Key of the Signer.
Signed Data
A data block with attached Signature of that block. A party receiving Signed Data can verify that the data block has not been modified in transit by using the Public Key of the Signer to decrypt the Signature and to compare the resulting Data Digest with the Data Digest it calculated itself.
Certificate
A data block with containing the name of the Certificate owner (called Certificate Subject), the Public Key of the owner, the name of the Certificate Issuer, the serial number of the Certificate, and some additional data elements. This data block is signed by the Issuer.
Certificates play the role of Digital ID cards.
Issuer
A party that issues Certificates for other parties, signing them with the Private Key of the Issuer. Issuers are also called Certificate Authorities. Each certificate generated by a certain Issuer has a unique serial number.
Trusted Authorities
A list individually maintained by a communication party. Each list element contains the name of a "trusted authority" and its Public Key.
When a party receives any Certificate, it can check if the Certificate Issuer is included into the "trusted authority" list, and that the Certificate Signature can be verified using that "trusted authority" Public Key.
Modern operating systems allow users to securely maintain Trusted Authorities databases on their desktops.
Root Authorities
Globally recognized Certificate Authorities. Most modern operating systems pre-insert several Root Authorities into the client Trusted Authorities databases, making Root Authorities trusted by all client computers running these operating systems.
Authority Chain
A set of Issuer Certificates for a certain Certificate.
Some Authority X may be not widely accepted as a "trusted one", but its Certificate may be issued by a more widely trusted Authority Y. In this case Certificates issued by X won't be widely accepted, but if those Certificates are sent together with the X own Certificate, issued by Y, then these Certificates may be accepted by all parties that trust Y.
Self-Signed Certificate
A Certificate issued by a party for itself. The Subject and Issuer of such a Certificate are the same. The Self-Signed Certificate contains the party Public Key and is signed using the Private Key of the same party.
Self-Signed Certificates can be trusted only if other parties explicitly include them into their lists of "trusted authorities".
Multiparty Encryption
An encryption method used to send data to parties with known Certificates. A single encrypted messages can be independently decrypted by any party that possesses a Private Key matching one of the Certificates used for encryption.

Domain PKI Settings

Each CommuniGate Pro Domain has its own PKI settings. They include a Private Key associated with the Domain and Certificates containing the matching Public Keys.

To configure the Domain PKI settings, use the WebAdmin Interface to open the Domain Settings page for the target Domain, and click the Security link. The PKI page will appear:

PKI Services

This option allows you to specify the PKI Mode for this Domain:

Disabled
If this option is selected, PKI Functions for this Domain are disabled. If this option is selected, all other Domain PKI settings have no effect.
Test
If this option is selected, the Server-wide Test Private key and Test Certificate are used for this Domain. You do not have to configure any other Domain PKI settings if this option is selected. Use this mode for testing purposes only.
The Server-wide Test Certificate uses the Server Main Domain name as its Subject and CommuniGate Systems, Inc. as the Issuer. The Test Certificate expires 30 days after the last Server restart time.
Enabled
If this option is selected, the Domain PKI functions are enabled.

Assigning a Private Key

Initially CommuniGate Pro Domains do not have any Private Keys assigned. You should select the size of the key and click the Generate Key button to create a random Private Key and assign it to the Domain.

Private Key
Size:  

Note: depending on your server hardware platform, it can take up to several seconds to generate a 2048-bit Key.

Only after you assign a Private Key, the Certificate-related fields will appear on the Security page.

You can use any third-party program to generate a Private Key. You should instruct that program to output the Private Key in the PEM format (as shown below).
Select the Import option in the Size: menu and click the Generate Key button. A text field appears. Copy the PEM-encoded Key (in the RSA or PKCS#8 format) into that text field, and click the Generate Key button:

Private Key
Size:  
Enter a PEM-encoded Private Key:

Note: Make sure that the key you import is not password-encrypted. Something like the following starting lines:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-CBC,90C96A721C4E4B0B

GzLyio+Or3zXm1N7ILWlYDsR6cgPlzHomAxi6aeUthl4lSqBHaqMlh+/76I/6sNx
.................
indicate that the Private Key is encrypted and it cannot be imported into the Server.

If the Private Key is set correctly, and the Key can be used for public/private key cryptography, you will see the following panel:

Private Key
Key Size:512 bit 
Encryption Test:Verification String is OK

If the Key Test field indicates an error, the imported Private Key cannot be used for public/private key cryptography.

Use the Remove button if you want to remove the entered Domain Private Key. Since the Domain Certificate can be used with one and only one Private Key, it becomes useless when you delete the Private Key, so the existing Domain Certificate will be removed, too.

Assigning a Certificate

A Domain must have a Certificate to support PKI functions.

The Domain Certificate name (the Common Name part of the Certificate Subject field) should match the domain name used by client applications.
If a CommuniGate Pro Domain has Domain Aliases, attempts to connect to the Server using a Domain Alias name will result in warning messages on the client workstations notifying users about the name mismatch. Since a Certificate can contain only one name, select the name (the real Domain name or one of the Domain Aliases) that your users will use in their client application settings. If your CommuniGate Pro Domain name is company.dom, and that domain name does not have a DNS A-record, but the Domain has an Alias mail.company.dom that has an A-record pointing to the CommuniGate Pro Server, your users will use the mail.company.dom name in their client settings and WebUser Interface URLs, so the Domain Certificate should be issued for the mail.company.dom name rather than the company.dom name.

You may also use "wildcard" domain names for your certificates. If the Domain name has at least 2 components, the Common Name menu will contain a "wildcard" domain name: the name of the Domain with the first component substituted with the asterisk (*) symbol. If the Domain name has only 2 components, the asterisk component is added to form a 3-component name.

To create a Certificate, fill the fields in the Certificate Attributes table:

Certificate Generator
Common Name:
Country:
Province:
City:
Organization:
Unit:
Contact:
Common Name
When the Certificate is sent to a client application, the application checks that the Certificate Common Name matches the name the user has specified in the URL and/or in the mailer settings.
Contact
This field must contain a valid E-mail address, though that address does not have to be inside this CommuniGate Pro Domain.

All other fields are optional.

To receive a Certificate from an external source ("trusted authority"), click the Generate Signing Request button. A text field containing the PEM-encoded CSR (Certificate Signing Request) will appear:

Certificate Generator
Common Name:
Country:
Province:
City:
Organization:
Unit:
Contact:
Enter a PEM-encoded Certificate

submit this request to a Certification Authority and paste the result below
Enter a PEM-encoded Certificate

Copy the CSR text and submit it to the Certification Authority (CA) of your choice. You can submit via E-mail or using a Web form on the CA site. The Certification Authority should send you back the signed Certificate in the PEM-format. Enter that Certificate into the bottom field and click the Set Certificate button.

If the Certificate is accepted, the Certificate information is displayed:

Domain Certificate
Issued to:
CountryUS
ProvinceCA
CitySausalito
OrganizationACME Yacht Rentals, Inc.
UnitOn-line Services
Common Named1.communigate.com
Contactbill@domain.company
Issued by:
CountryUS
ProvinceCA
CitySausalito
OrganizationACME Yacht Rentals, Inc.
UnitOn-line Services
Common Named1.communigate.com
Contactbill@domain.company
Serial Number:
89AB673940123456
Valid:
From:06-Nov-07Till:05-Nov-09
  

The Certificate panel shows the Certificate Issuer (the Certificate Authority), the Certificate Subject (the data you have entered and the selected domain name), the Certificate serial number and the validity period of this Certificate.

Note: the entered Private Key and Certificate will be used for the Domain secure communications ONLY if the PKI Services option is set to Enabled.

Note: the Certificate contains the Domain name or a Domain Alias as a part of the "Subject" data.
When you rename the CommuniGate Pro Domain, the domain name in the Domain Certificate does not change, and the client applications may start to warn users about the name mismatch.

Click the Remove Certificate button to remove the Domain Certificate.

Assigning a Certificate Authority Chain

If the Certificate issuer is known to the users client software (mailers and browsers), the warning message does not appear on the user screen when the client software receives a Certificate from the Server. In many cases, the "trusted authority" does not issue certificates itself. Instead, it delegates the right to issue certificates to some other, intermediate authority. When your Server uses a Certificate issued by such an authority, the Server should also present the Certificate of that authority issued by the "trusted authority". The client software would check your Certificate first, then it will detect that the issuer of your Certificate is not a "trusted authority" and it will check the additional Certificate(s) the Server has sent. If that additional Certificate is issued by a "trusted authority", and it certifies the issuer of your Domain Certificate, your Certificate is accepted without a warning.

When you receive a Certificate from a Certificate Authority that is not listed as a "trusted authority" in the client software settings, that intermediate Certificate Authority (CA) should also give you its own Certificate signed with a "trusted authority". That Certificate should be in the same PEM format as your Domain Certificate:

Certificate Authority Chain (Optional)

The CA Chain may include several certificates: the first one certifies the issuer of the Domain Certificate you have entered, but it itself may be issued by some intermediate authority. The next Certificate certifies that intermediate authority, etc. The last Certificate in the chain should be issued by some authority "known" to client software - usually, some Root Authority.

If your CA Chain contains several separate PEM-encoded Certificates, enter all of them into the Certificate Authority Chain field. The Certificate issued by a Root Authority should be the last one in the list.

Click the Set CA Chain button to assign the Certificate Authority Chain to the Domain. If all Certificates in the Chain are decoded successfully and their format is correct, the CA Chain list is displayed:

Certificate Authority Chain (Optional)
Issued toIssued byFromTill
OrganizationVeriSign Trust Network
UnitVeriSign, Inc.
UnitVeriSign International Server CA - Class 3
Unitwww.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
CountryUS
OrganizationVeriSign, Inc.
UnitClass 3 Public Primary Certification Authority
17-Apr-97 08-Jan-04

Note: CommuniGate Pro checks only the format of each Certificate in the Chain. It does not check that each Certificate really certifies the issuer of the previous Certificate and that the last certificate in the Chain is issued by a Root Authority.

When set, the Certificate Authority Chain is sent to clients together with the Domain Certificate.

Click the Remove CA Chain button to remove the Certificate Authority Chain from the Domain Security Settings.


Using Self-Signed Certificates

You can create a Self-Signed Certificate if you do not want to use any external Certificate Authority.
Click the Generate Self-Signed button and the CommuniGate Pro Server creates a Self-Signed certificate for you: the Issuer will be same entity you have specified, and the entire Certificate will be signed using the Domain Private Key. When a Domain has a Self-Signed Certificate, client applications will warn users that the addressed server has presented a certificate "issued by an unknown authority". Users can "install" self-signed certificates to avoid these warnings.

When client applications receive a Certificate and its issuer is not included into their list of Trusted Authorities, the applications may display warnings or they may refuse to accept the Certificate.

Your users can "install" your Domain Certificates into their Trusted Authorities lists. Once installed, the Certificate becomes a "trusted" one. For some programs (such as Mac versions of Microsoft Outlook and Outlook Express) installing an "untrusted" Certificate is the only way to use that Certificate for secure communications.

To install a Domain Certificate, the user should use a browser application and open the login page of the WebUser Interface for the selected Domain. If the Domain has an enabled Certificate, the Secure Certificate link appears. The user should click on that link to download the Domain Certificate and "open" it. The browser should allow the user to verify the Certificate and to install it into the list of Trusted Authorities.

When a Domain has a Self-Signed Certificate, the Refresh Self-Signed button appears on the WebAdmin page. Click this button to create a new Self-Signed Certificate with the same serial number, but with a new validity period.


Trusted Root Certificates

The CommuniGate Pro Server can verify validity of Certificates presented to it. For example, the WebUser Interface performs validity checks when displaying signed messages.

A Certificate is considered valid if:

There are several sets of the Trusted Certificates:

When a PKI operation is performed for a certain Domain (or for a certain Account in that Domain), the following Trusted Certificates are checked:

When a PKI operation is performed for the System itself (for example, an outgoing TLS connection is being established), the following Trusted Certificates are checked:

Use the WebAdmin Interface to update the set of Server-wide and Cluster-wide Trusted Certificates. Open Security page in the the Users realm. The Trusted Certificates page will open:

 Issued toSerial NumberFromTill
RSA Data Security, Inc.02AD667E4E45FE5E576F3C98195EDDC0 09-Nov-9408-Jan-10
Thawte Personal Freemail CA00 01-Jan-9601-Jan-21
Thawte Personal Basic CA00 01-Jan-9601-Jan-21
My Company CA010256FF 01-Jan-9601-Jan-21

Trusted Certificates included into the displayed set have a checkbox marker. To remove certain Trusted Certificates, select its checkbox and click the Remove Marked button.

In addition to the certificates from the displayed set, the Domain-wide pages display the built-in Trusted Certificates, and the Trusted Certificates from the Server-wide set (or from the Cluster-wide set for Shared Domains).
The Server-wide and Cluster-wide Trusted Certificates pages display the the built-in Trusted Certificates.
These additional certificates do not have checkbox markers.

Enter a PEM-encoded Certificate


To add a Certificate to the set, enter the PEM-encoded Certificate data into the text field and click the Set Certificate button. The new Certificate should appear in the displayed set.


SSL/TLS Secure Connections

The TLS (Transport Level Security) protocol a PKI application used to provide security and integrity of data transferred between a pair of communicating parties. The parties use PKI encryption to securely exchange a "secret key" data, and then all data transferred between the parties is encrypted using that "secret key". The earlier versions of the TLS protocol were called the SSL (Secure Socket Layer) protocols.

The CommuniGate Pro Server supports SSL/TLS connections for all its TCP-based services and modules. Secure connections can be established in two ways:

Usually certificates for SSL/TLS communications can be assigned only to the CommuniGate Pro Domains that have at least one assigned network (IP) address. This limitation comes from the design of the TLS protocols used today: when a client application wants to initiate a secure connection, the Server has no information about the Domain the client wants to connect to. The Server knows only to which local IP address the client has connected, so it opens the Domain this IP address is assigned to, and uses the PKI Settings of that Domain.

An exception to this rule is the XMPP protocol. Before an XMPP client sends the <starttls> command, it explicitly specifies the target domain in the <stream> data, so the Server can initiate a TLS session with a Domain that has no assigned network address.

Use the WebAdmin Interface to specify the Server-wide SSL/TLS processing parameters. Open the General pages in the Settings realm, and find the TLS Sessions panel on the Others page:

TLS Sessions
Log Level: CBC Ciphers for old TLS Process Target Domain extensions
Time to Live: Weak Ciphers Accept SSLv2 'hello'
Oldest Accepted:   Abort on Wrong Client Certificate
Log
Use this setting to specify what kind of information the TLS module should put in the Server Log. The TLS module records in the System Log are marked with the TLS tag.
Time To Live
This setting specifies the cache time for TLS sessions. When all connections using the same TLS session are closed, the Server waits for the specified time before deleting the TLS session parameters. This feature allows clients to open new connections resuming the old TLS sessions. It increases connection speeds and decreases the Server CPU load. This feature is especially important for HTTP clients that open and close connections very often.
Oldest Accepted
This setting specifies the oldest SSL/TLS protocol version accepted. If a remote peer specifies that it only supports an SSL/TLS version older than this one, an attempt to create a secure connection is rejected.
This option controls incoming TCP connections only.
Process Target Domain extensions
When this setting is enabled, the Server supports the TLS protocol extensions which allow the client to specify the name of the Server Domain it wants to access. This feature allows you to host several TLS-enabled Domains using the same Server Network IP Address.
CBC Ciphers for old TLS
Select this setting if you want to support CBC-based cipher methods for SSL 3.0 and TLS 1.0 protocols. The CBC-based cipher methods are always supported for datagram (DTLS) protocols.
Weak Ciphers
Select this setting if you want to support weak (less than 128-bit) security (cipher methods). The CBC Ciphers setting should be selected, too.
Accept SSLv2 'hello'
If this setting is enabled, the Server accepts SSLv2-style initial connection requests used by many older clients.
Note: even if this option is enabled, the actual security protocol used is SSLv3 or TLS, the SSLv2 security protocol is always disabled. There is no real reason to disable this option (other than to pass some bogus "security checks").
Abort on Wrong Client Certificate
When a Server requires a client to send a Certificate, the client may send an incorrect certificate: expired, issued by a wrong issuer, etc.
If this option is enabled, this situation aborts the current TLS negotiation process. If this option is disabled, then incorrect certificates are ignored.

Client Certificates

The CommuniGate Pro Server can request a Client Certificate when an external client (a mailer, browser, or a real-time device) establishes a TLS connection with a certain Domain.

Use the WebAdmin Interface to open the Domain Settings page for the target Domain, and click the Security link. The PKI page will appear:

Request Client Certificates
Issued by: Required:
Issued By
Select one of the Trusted Certificates specified for this Domain.
When a Trusted Certificate is selected, all TLS clients connecting to this Domain will be requested to present a valid certificate issued by the owner of the selected Trusted Certificate. These certificates can be used for Certificate Authentication.
Required
If this option is selected, only clients presenting valid Certificates can establish TLS connections to this Domain.

The CommuniGate Pro Server processes Client Certificate requests when it establishes a TLS connection to remote servers (SMTP, XMPP, SIP, POP, and other connections). It processes these requests by sending the TLS Certificate assigned to the Main Domain.


S/MIME Functionality

S/MIME is a PKI application used to digitally sign and encrypt E-mail and other messages. While TLS ensures data security when information is sent over an unprotected network, such as the Internet, S/MIME provides end-to-end data security: an S/MIME message is encrypted by the sender (using Multiparty Encryption) and submitted to the sender's server in the encrypted form. The same encrypted form is used when the message is transferred over a network, when it is stored on an intermediate server, and when it is deposited in the recipients' Mailboxes. Only the recipients can decrypt the message using their Private Keys, and only when they actually read the message: the message stays encrypted in the recipient's Mailboxes.

To use end-to-end S/MIME security, individual users should have their own PKI keys. Each user should have a Private Key securely stored in a storage available to that user only, and a matching Public Key embedded into a Certificate. This Certificate should be issued by a Certificate Authority that other users trust.

CommuniGate Pro WebUser and XIMSS Interfaces support S/MIME functions. The Server provides secure storage for user Private Keys. These Keys can be unlocked and used only by the users themselves, using these Interfaces.

To use a traditional desktop client application (a POP, IMAP, or MAPI client) the user Private Key should be stored in the PKI storage of the desktop operating system.
The WebUser and XIMSS Interfaces can export and import Private Keys, so the user can use the same Private Key for desktop applications and when employing these Interfaces. See the Secure Mail section for more details.


Domain S/MIME Settings

The CommuniGate Pro Server implements a Certificate Server, issuing Certificates for its users.

A CommuniGate Pro Domain can act as a Certificate Authority for all its Accounts if:

To specify Domain S/MIME settings, use the WebAdmin Interface to open the Domain Settings pages. Open the Security page and click the S/MIME link. If the Domain has a valid Private Key, a page similar to those for the generic Domain Certificate are displayed. These fields can be used to enter a special S/MIME certificate for the Domain. This Certificate is used as the Issuer (Certificate Authority) for all S/MIME Certificates requested by users in this Domain.

If the special S/MIME Certificate is not specified, then the generic Domain Certificate is used as the Issuer Certificate.


Automatic S/MIME Encryption

The S/MIME features can be used to provide secure message store. CommuniGate Pro can encrypt all or certain messages before it stores them in user Mailboxes.

The Store Encrypted Rule action is used to encrypt incoming E-mail messages and store them in the specified Mailbox.

Messages are encrypted using the S/MIME Certificate of the Mailbox owner. If the Store Encrypted Rule action is used in an Account-Level (i.e. in an Account or in a Domain-wide) Rule, and the specified Mailbox does not belong to the user Account, the message is encrypted using the Certificates of the Mailbox owner and the current Account.

Sample:
The Account john has a Rule with the following action:
Store Encrypted in    ~jim/INBOX
When this action is taken, the message is stored in the INBOX Mailbox of the Account jim encrypted with both john and jim Certificates. Both jim and john can decrypt and read this message.

Stored Message Encryption

After CommuniGate Pro users receive certain clear-text E-mail messages, they may prefer to keep them encrypted in the Server Mailboxes. The MAPI and XIMSS clients, and the WebUser Interface provide the Encrypt and Decrypt functions that allow users to encrypt and decrypt individual messages in their Mailboxes.


CommuniGate® Pro Guide. Copyright © 1998-2015, Stalker Software, Inc.