- Internal Certificate Authority
- PGP Key Servers
- Encryption Settings
- Internal Recipients Encryption
- External Recipients Encryption
Internal Certificate Authority
An Internal Certificate Authority can be used to create certificates for internal and external recipients for the purposes of S/MIME encryption and message signing. The certificate generated by the internal CA are not trusted, therefore you must instruct the external recipients of your messages to trust your Internal CA in their clients.
Alternatively, instead of using certificates generated by the internal CA, you can import certificates from a trusted 3rd party Certificate Authority for both internal and external recipients.
Add Internal Certificate Authority
- Under the Certificate Authority Common Name field, enter the name you wish to assign to the internal CA.
- Under the Certificate Authority Certificate Validity in Years field, select the length of time you wish the Certificate Authority to remain valid. We recommend you leave this setting at the default 5 years.
- Under the Certificate Authority Certificate Key Length select the key length you wish to use. We recommend you leave this setting at the default 4096-bits.
- Under the Organization/Company Name enter the name of your organization.
- Under the Organization Unit field enter the name of your organization unit.
- Under the Organization State/Province field enter the name of of the organization state/province
- Under the Organization Country Code field enter the two letter code for your organization country. Example, for United States simply enter US.
- Click the checkbox under the Make Default field, if you wish to make this Certficate Authority the defalt CA. By default, the first CA that gets created becomes the default CA.
- Click the Save Settings button (Figure 1).
- Each Internal Certificate Authority you add shows up in the Edit/Delete Existing Internal Certificate Authorities section (Figure 2).
- Continue adding Internal Certificate Authorities as needed.
Set Internal Certificate Authority as Default
- Under the Edit/Delete Existing Internal Certificate Authorities place a checkmark under the Default column of the Internal Certificate Authority you wish to set as default. The system will automatically set the Certificate Authority as the default (Figure 3).
Delete Internal Certificate Authority
Default Internal Certificate Authorities or Internal Certificate Authorities that have been used to issue certificates to Internal or External Recipients cannot be deleted. In those cases you must either set another Internal CA as the default and/or you must first remove the Internal Recipients under Gateway --> Internal Repients and the External Recipients under Encryption --> External Recipient Encryption which will also remove any certificates assigned to those recipients. Please note, you do not have to remove all internal or external recipients, only the recipients that have certificates assigned to them by the Internal Certificate Authority you wish to delete.
- Under the Edit/Delete Existing Internal Certificate Authorities click the icon of the Internal Certificate Authority you wish to delete.
- On the confirmation page, click on the YES button to delete the Internal CA or click the NO button to cancel.
- You will be returned to the Internal Certificate Authority Page
PGP Key Servers
PGP Key Servers section allows you to add/delete public PGP Key Servers to Hermes SEG in order to be able to publish Internal and External Recipient Public PGP Keys to those servers. Hermes SEG by default includes the following public PGP Key Servers:
- ha.pool.sks-keyservers.net --> OpenPGP SKS Key Server High Availability
- keyserver.ubuntu.com --> Ubuntu SKS OpenPGP Public Key Server
Add PGP Key Server
- Under the Key Server field, enter the Key Server address. Ensure you do NOT include http:// or https:// or any port numbers.
- Under the Note field, enter a description for this key server.
- Click the Add button (Figure 1)
- The server will be added and it will appear under the Delete PGP Key Server(s) section below (Figure 2)
Delete PGP Key Server
- Under the Delete PGP Key Server(s) section, select the Key Server entry you wish to delete (only one entry at a time can be selected) and click the Delete button (Figure 3).
- The Key Server you selected will be immediately deleted and removed from the Delete PGP Key Server(s) section.
- The Trigger encryption by e-mail subject allows Internal Recipients to encrypt email to any External Recipient by entering a special keyword in the subject of any email. This setting enables or disables this feature. We recommend you set it to Enabled (Figure 1).
- The Encryption by e-mail subject keyword sets the special keyword to be entered in the subject of an email in order to encrypt that email message. Enter a unique keyword that would not normally appear in the subject of a typical email. We recommend you set this field to [encrypt] or [secure] ensuring to include the brackets (Figure 2).
- The Remove e-mail subject keyword after encryption field sets the system to automatically remove the special keyword from the subject after the email has been encrypted. We recommend you set it to Enabled (Figure 3).
- The Secure Portal Address field sets the address that will be included in PDF encrypted emails that require the recipient to navigate in order to decrypt, view and reply to encrypted PDF emails (Figure 4).
- The PDF Reply Sender E-mail sets the From address for when an external recipient replies to an encrypted PDF email from the Secure Portal (Figure 5).
- The Server Secret Keyword, Client Secret Keyword and Mail Secret Keyword are used to protect external resources against tampering. For example if an external user replies to an encrypted PDF email, the Server Secret Keyword ensures that the user can only reply to to a message generated by this server. If you followed the Getting Started guide, you should had generated new Server Secret Keyword, Client Secret Keyword and Mail Secret Keyword. If not, ensure you generate one by clicking on the icon next to each which will automatically generate a keyword and enter it in each respective field (Figure 6).
- Click on the Save Settings button to save your settings.
Internal Recipients Encryption
If Internal Recipients have not been added in your system under Gateway --> Internal Recipients, this page will not show a recipient listing.
By default, When Internal Recipients are added into Hermes SEG, they are NOT configured with the ability to send encrypted email. Each Internal Recipient must be individually configured for the type of encryption you wish for them to use.
On this page, a listing of only previously added Internal Recipients will appear. Note, that under the Encryption Status section the PDF and S/MIME and PGP columns are set to No. Additionally, under the S/MIME Cert(s) section, the certificateicons are disabled indicating that no S/MIME Certificates are present, and under the PGP Keyring(s) section the keyringicons are disabled indicating that no PGP Keyrings are present (Figure 1).