Answer the question
In order to leave comments, you need to log in
V
V
Vasya Pupkin2020-01-21 23:10:39
Vasya Pupkin, 2020-01-21 23:10:39
Is it possible to somehow sign the outgoing wildcard mail with a certificate?
There is a domain, there is a certification authority, usb tokens were bought so that users go not by password, but by key. Set up, scattered user certificates (created in the center) via USB. Everyone logs in - everything works.
It is also possible to sign mail with the same certificate, only this is a local certificate and it will normally work only inside the domain, if you send a signed message to an external device, the client will mark it as spam because you cannot check the certificate, because. it is issued by the local center.
The most obvious option is, of course, to order a bunch of personalized certificates that will correspond to employees' mail, but then what's the point in a local center. If there are 200 users, then you will have to buy 200 certificates.
Is there some kind of wild-card option? I bought a certificate for a domain and just created the rest based on it?
How else can this be implemented?
2 answer(s)
@Desert-Eagle
No.
For three reasons.
1. The certificate for the domain may not have the required EKU (Extended Key Usage). EKU TLS Web Server Authentication is usually used for server identity, and EKU E-Mail Protection is needed for signing / encrypting mail - and not at all the fact that CA will write it in the certificate, most likely nothing.
2. An email client will not be able to use a certificate in which the emailAddress in the Subject field does not match the soap you are trying to configure - it will stupidly not recognize it (Outlook will not find it, it will do nonsense, TB will ignore)
3. Commercial CAs are also well aware that everyone needs a personal certificate to protect mail, and that is why they sell them individually :) capacity you issue certificates. For money, of course.
@icCE
C
CityCat4, 2020-01-22 @Desert-Eagle
Is there some kind of wild-card option?
No.
For three reasons.
1. The certificate for the domain may not have the required EKU (Extended Key Usage). EKU TLS Web Server Authentication is usually used for server identity, and EKU E-Mail Protection is needed for signing / encrypting mail - and not at all the fact that CA will write it in the certificate, most likely nothing.
2. An email client will not be able to use a certificate in which the emailAddress in the Subject field does not match the soap you are trying to configure - it will stupidly not recognize it (Outlook will not find it, it will do nonsense, TB will ignore)
3. Commercial CAs are also well aware that everyone needs a personal certificate to protect mail, and that is why they sell them individually :) capacity you issue certificates. For money, of course.
V
Vladimir Zhurkin, 2020-01-21 @icCE
Can. This is called s/mime for emails.
Those who don't understand the s/mime format will just get an extra file.
https://sectigo.com/enterprise/sectigo-certificate...
and yes, s/mime is better done for each individual.
You don’t have to pay for additional certificates (although someone likes it)
Similar questions
V
T
A
G
grabbee2018-02-09 17:20:22
What IPTABLES rule interferes with the work of the virtual machine?
3Reply
D
Dim2015-10-07 11:33:04
Organization of document flow in a small company. Who uses what solutions?
4Reply
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question