Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2952
Views
0
Helpful
8
Replies

Resigning Internal PKI S/MIME certificate for external customers

Go to solution
mgowland
Level 1
Level 1

‎06-21-2018 05:49 PM - edited ‎03-08-2019 07:38 PM

Im after a solution to have all emails to our cutomers signed for authenticity. We have our own internal PKI so we can issue all staff S/MIME certs, however our external customers obviously wont trust our CA.  So i was thinking if we buy say one or two certificates from a trusted third party, there might be a soltuion out there than resigns outgoing emails with the publicly trusted certificate.  So all internal staff get a personal smime certificate for internal use. Then outgoing emails are checked for authenticity and if validated get resigned with a single publicly trusted certificate. That way we dont have to purchase a third party cert for every user.  Does something like this exist?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to mgowland

‎06-25-2018 03:40 PM

Hello,



S/MIME functionality is available w/o the encryption license.

The encryption license is strictly to allow the usage of Cisco Registered Envelope Service (CRES).

S/MIME signing is available for all CES/ESA devices; as long you have created/purchased a valid S/MIME certificate to install into the device.



If the email is double signed, it will not cause invalidation typically - the end MUA/MTA doing verification for S/MIME will need to just do double verification - however I cannot say for certain all software/MUA/MTA will be able to do it successfully.



Ideally double signing shouldn't be done; as if you decide to tamper with the email on the ESA/CES with body edits, subject edits, attachments inserted etc - it will break the original signing/encryption done by S/MIME.



I hope this clears up some concerns,

Matthew


View solution in original post

0 Helpful
8 Replies 8

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎06-24-2018 05:24 PM

Hey mgowland,

Let me know if my understanding is incorrect but - you currently are using your own CA for signing internally and would like to have the ESA re-sign with a public CA so it can be verified/validated.

If this is the case, then the signing would be gateway level s/mime signing rather than individual mailbox level. On the ESA after you created your certificate and got it signed by a known CA, you can load it into the device and use that profile for S/MIME signing emails leaving the ESA.

Regards,
Mathew
0 Helpful

Go to solution
mgowland
Level 1
Level 1
In response to Mathew Huynh

‎06-24-2018 07:38 PM

We don’t have an ESA but I have been considering looking into Cisco email security which looks like it’s effectively esa hosted in the cloud? So these products can do outgoing email smime signing? Does this mean we purchase a single smime certificate then the esa signs all outgoing emails with that cert? How does it handle emails that have already been signed by the senders internally trusted personal certificate?
0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to mgowland

‎06-24-2018 09:15 PM

Hello mgowland,

Yep it would be the ESA signing the email at the gateway level to show validity the email came from the ESA host. (CES if Cisco hosted ESA).

If the email is already signed, any modification done to it would break the S/MIME validity - so in the event that someone has signed it on their own mail box side, it would be double signed if the ESA has re-signed it.

The ESA has a condition however in the filtering to check if it's signed, so yuo can allow it to skip signing if already signed.

Regards,
Matthew
0 Helpful

Go to solution
mgowland
Level 1
Level 1
In response to Mathew Huynh

‎06-24-2018 09:57 PM

Okay so the email would be signed by a single SMIME certificate at the esa?
Or would there effectively be one smime cert per user?

Also, if the email is already signed then yes any modification would break
the digital signature, but is the ESA smart enough to strip the digital
signature and resign it with the single certificate?

What I am trying to achieve is the most cost effective way to implement
digital signing of outgoing emails. Seeing as though we have our own CA we
can sign everything for free, but our external customers would see a warning
until they trust our first email. If we need the encryption module of CES
(SKU CES-ENCRYPTION) then I think it would probably be cheaper to just
purchase certificates for each user instead, haha.
0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to mgowland

‎06-24-2018 10:38 PM

Hey,



One cert per ESA.

It's a gateway level signing to show the email legitimately came from name.hostname.com gateway.

The ESA will not strip the current signature from memory/experience, it should sign ontop of the existing or not sign at all depending on your filtering settings.

(Signing on the ESA is done with a message/content filter).



The CES Encryption Module I believe covers the Cisco Registered envelope encryption service; which =/= S/MIME encryption.



Regards,

matthew


0 Helpful

Go to solution
mgowland
Level 1
Level 1
In response to Mathew Huynh

‎06-24-2018 11:12 PM

Does SMIME signing come as part of the base CES product SKU? We don't the
encryption module to get this functionality?

Just to be clear, if a user signs an email before they send it, then it
passes through the ESA and it then signs it again (assuming we don't tell it
to ignore already signed emails) then would the recipient see the email as
being invalidated?... Or valid? I mean, the "outer" signature provided by
the ESA I would assume would show as valid, so maybe the client would only
look at that and then see anything else (i.e. the original signature from
the end user) as just part of the message? Might depend on the client. Any
ideas what might happen in this case? I'm curious because if we issue all
internal staff certificates from our CA then all emails to external
customers will no doubt be signed but we would still want the ESA to sign
them with the public trusted certificate.
0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to mgowland

‎06-25-2018 03:40 PM

Hello,



S/MIME functionality is available w/o the encryption license.

The encryption license is strictly to allow the usage of Cisco Registered Envelope Service (CRES).

S/MIME signing is available for all CES/ESA devices; as long you have created/purchased a valid S/MIME certificate to install into the device.



If the email is double signed, it will not cause invalidation typically - the end MUA/MTA doing verification for S/MIME will need to just do double verification - however I cannot say for certain all software/MUA/MTA will be able to do it successfully.



Ideally double signing shouldn't be done; as if you decide to tamper with the email on the ESA/CES with body edits, subject edits, attachments inserted etc - it will break the original signing/encryption done by S/MIME.



I hope this clears up some concerns,

Matthew


0 Helpful

Go to solution
mgowland
Level 1
Level 1
In response to Mathew Huynh

‎06-25-2018 06:10 PM

Yes it does. You have been very helpful, thankyou very much.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents