Certificate store overview

The Email Gateway Certificate store page is divided into areas, based on the type of certificates and how they are used:

About the Certificate Store

Certificate Authorities certificate store

Tell me more

This area contains S/MIME signing certificates.

Signing certificates are used to verify the other certificates that are used to encrypt, decrypt, and sign email messages passing through the Email Gateway.
Corporate certificate store
Tell me more
This area contains the S/MIME and PGP certificates that belong to your organization.

The private keys contained within the Corporate certificates are used to do the following on behalf of the people in your organization:
- Decrypt incoming email messages
- Sign outgoing email messages
Partners certificate store
Tell me more
This area contains the S/MIME and PGP certificates that belong to the people and organizations that you do business with.

The public keys contained within the Partners certificates are used to do the following:
- Encrypt email messages sent to your partners
- Verify the digital signatures of email messages received from your partners

Configuration

Tell me more

This area enables you to:

Configure the Gateway to run validation checks on the certificates in your certificate store.

You can schedule a daily certificate validation check, or use the Run checks button in the What would you like to do? panel to run the check immediately.

Certificate validation checks might take several hours to complete depending on the size of the certificate store. We recommend scheduling the check to run at an off-peak time.

Details of the checks are reported in the Certificate Store log file.

Use expired or suspicious certificates, if applicable.

You can specify that the Gateway does not use expired or suspicious certificates. A suspicious certificate is defined as any certificate for which the Gateway has been unable to download the Certificate Revocation List for three consecutive days.

By default, the Gateway does not use revoked certificates. However, you can override this setting for individual certificates using the Override Warnings option.
Use other types of certificate, if applicable.

You can also specify that the Gateway does not use any of the following types of certificate:
- Certificates that are valid for longer than a period of three years
  
  These certificates span more than three years between the Valid From and Valid To dates. The validation is not connected to either expiry dates or the current date.
- Self-signed certificates
  
  A self-signed certificate is signed with the same entity whose identity it certifies.
- Certificates with no CRL information
  
  These certificates are defined as certificates with no CDP (CRL Distribution Point).
- Certificates with incorrect key usage
  
  Certificates with incorrect key usage lack either the 'digitalSignature' and 'keyEncipherment' properties.
- Certificates with a missing CA
  
  These certificates do not have a CA present on the Gateway.

Use the Search Criteria box to find a particular certificate or set of certificates. You can search for certificate details including Company, Issuer, Serial Number, and Expiry Date, in each of the Certificate Stores. You can also search for any Certificates with warnings, or a certificate with a warning that has already been overriden (Override Warnings).

Certificate overrides

If you have chosen not to use expired or suspicious certificates, you can override this setting for an individual certificate. You can also override a revoked certificate.

Search for the certificate you want to override.
Select the appropriate certificate from the search results.
Click Override Warnings.

Certificate store overview

About the Certificate Store

Certificate overrides

See also...