Private Certificate Authority

With the private certificate authority (CA), certificates for your e-mail aliases can be created automatically by the Appliance on demand.
The advantage is that you save the costs for purchasing certificates as well as for administration.

The disadvantage is, that the mail recipient must have imported your root certificate once to recognize the validity of your certificates.
Another disadvantage is, that so created certificates can not be checked with CRL or OCSP.

The following steps are required to generate a private certificate authority:

  1. In the admin webinterface select MailSealer and right click on "private certificate authorities"
  2. Click on create
  3. You can then
    • Generate a new CA certificate and provide a valid x509 name and the name for your new CA as well as the ending validity period (default is 10 years)
    • Upload your own CA certifcate with the corresponding password and set the name for the new CA
  4. Confirm with "create ceritficate authority", this creates the CA that will further be listed in the Certificate Authorities by the previously provided name
  5. You need to set one Certificate Authority as active (with right click => set active)
    The so activated authority will auto create certificates if enabled in mailsealer settings
    Only one authority can be active at a time
  6. Switch to the MailSealer settings, enable the MailSealer and "apply settings"
  7. Switch to the next tab "MailSealer" and select "Auto create certificates"
  8. Select "Include signer certificate chain" and "Include sender key"
  9. Confirm with "apply settings"
  10. Switch to the policy settings panel and provide incoming and outgoing policies to define for witch email addresses the mailsealer has to be used
  11. You can also provide your Root CA to other communication partners
    To do so, select the corresponding CA and click on "Export CA Certificate" => "CA Certificate"
  • You can create multiple Certificate Authorities, but remember that only one can be active at a given time
  • If not needed anymore, a CA can also be deleted while right clicking the CA and selecting "Delete"