Preparing to import a TLS certificate signed by a certification authority

A TLS certificate signed by a certification authority (CA certificate) intended for import into Kaspersky Secure Mail Gateway must meet the following requirements:

• The certificate file must have a unique name in the list of certificates used in Kaspersky Secure Mail Gateway.
• The files of the server certificate, intermediate and root CA certificates, and the private key file must be in PEM format.
• The key length must be 1024 bits or longer.
• You must have the complete certificate chain – the path from the server certificate to the roof CA certificate.

  On receiving the CA certificate, you may need to use the intermediate certificate in addition to the server certificate.

• Certificates must be specified in the certificate chain in the following order: first the server certificate followed by intermediate CA certificates.
• Intermediate certificates must not be skipped in the certificate chain.
• The certificate chain must not include any certificates unrelated to current certification.

By way of an example, below are instructions on how to prepare for import a TLS server certificate signed by a certification authority, server_cert.pem, whose private key is contained in the key.pem file. The name of the intermediate server certificate is intermediate CA. The name of the root certificate is root CA.

To prepare a TLS certificate signed by a certification authority for import into Kaspersky Secure Mail Gateway:

1. In the file of the TLS certificate, remove the password (if any) for accessing the certificate. To do so, execute the command:

   # openssl rsa -in <name of the private key file>.pem -out <name of the private key file with the password removed>.pem

   For example, you can execute the following command:

   # openssl rsa -in key.pem -out key-nopass.pem

2. Do one of the following:
   • If you are certain that the clients to which the server will provide this certificate have their own copies of the root and intermediate CA certificates, combine the private key, server certificate, intermediate and root CA certificates into a single file. To do so, execute the command:

     % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the intermediate CA certificate>.pem <name of the root CA certificate>.pem <name of the TLS certificate after the files were combined>.pem

     For example, you can execute the following command:

     % cat key-nopass.pem server_cert.pem intermediate_CA.pem root_CA.pem > cert.pem

   • If you are not sure that the clients to which the server will provide this certificate have their own copies of the root and intermediate CA certificates, combine the private key and server certificate into a single file. To do so, execute the command:

     % cat <name of the private key file with the password removed>.pem <name of the server certificate>.pem <name of the server certificate after the files were combined>.pem

     For example, you can execute the following command:

     % cat key-nopass.pem server_cert.pem > cert.pem

The TLS certificate signed by the certification authority (for example, cert.pem) is ready for import into Kaspersky Secure Mail Gateway.

See also Using the TLS protocol in the operation of Kaspersky Secure Mail Gateway About using the TLS protocol in the operation of Kaspersky Secure Mail Gateway Configuring TLS security for Kaspersky Secure Mail Gateway in Server role Configuring TLS security for Kaspersky Secure Mail Gateway in Client role Creating a TLS certificate Deleting a TLS certificate Preparing a self-signed TLS certificate for import Importing the TLS certificate from file

Page top