Problems related to certificates for email signature, email encryption or receiving signed emails
As soon as certificates and their certificate chains are used for the email signature or encryption, they usually have to be checked for validity. It is important to note that certain basic requirements must be met for a final certificate to be considered valid:
- The certificate itself including its complete certificate chain is stored in the certificate store of NoSpamProxy.
- The revocation check of the final certificate and all intermediate certificates contained in the certificate chain was successful.
Please note that the check is preferably carried out on the basis of the Online Certificate Status Protocol. If the respective certificate does not offer this, the check via certificate revocation list (CRL) is used. When retrieving the CRL of each certificate, three things must be fulfilled:
- The CRL can be retrieved from all gateways.
- The CRL itself is still valid.
- The affected certificate is not included in the certificate revocation list.
Point 2 can be checked by a simple retrieval (in the case of a list linked via HTTP) via browser and subsequent opening using Windows on-board tools. Please bear in mind any proxy settings that may apply.
Please also refer to the knowledge base article How to configure a web proxy.
The easiest way to carry out the check is with the help of an automated script. To use this script, you must log on to the system on which the Intranet Role is installed. Execute the script there. Use either the PowerShell command line or the PowerShell ISE.
After executing the script, you will be asked for the thumbprint of the certificate to be checked. This can be found in the Activities section of the message track of the email in question. In said area, you will find the name of the applicant as a link. There you will find the thumbprint of the certificate, which you can copy by right-clicking.