The Certificate Manager is used to create, import and manage SSL/TLS X.509 certificates.
How to buy and install a certificate...
You can reach this manager from Options | Certificates or through the Certificate Manager button on the SSL Certificate tab of the Service properties dialog.
Certificates are used to secure communication between client computers and the services installed on your system.
Certificates provide two functions :-
Authentication (prove that the site is who the client thinks it is) Encryption (prevent third parties from observing the communication, including the transmission of passwords)
Most email clients and web browsers are capable of accepting certificates and using them for secure communication.
Mailtraq supports the highest level of security to allow direct HTTPS connection to credit card services, such as Visa, MasterCard and American Express, and to provide HIPAA medical record confidentiality compliance.
More about PCI Compliance here... and PCI Compliance testing here... & here...
Secure web services
Mailtraq provides secure HTTPS web services. Read more here...
Require Strong Encryption
Security Options are available on the HTTPS Service to require SSL3 or greater.
The "Strong Ciphers" option rejects connections from older less secure browsers, only accepts 128-bit or 256-bit keys and disables anonymous encryption.
RC4 Ciphers Warning
Only select RC4 Ciphers if you have a particular requirement. Multiple vulnerabilities have been discovered in RC4, rendering it insecure.
The Strong Ciphers choice in the dialog specifically excludes RC4
Strong Encryption on other services
Mailtraq supports strong encryption on SMTPS, IMAPS and POP3S if required.
See Configuration Advice below...
Mailtraq supports wildcard certificates from build 188.8.131.5220 and above.
Some email clients (e.g. K9 for Android, Thunderbird) may not to trust wildcard certificates without additional confirmation from the user. Outlook generally accepts them.
What is in a Certificate?
Certificates contain just a few items: a Subject (identifying the web site), an Issuer (identifying who issued the certificate), a public key (used for public-key cryptography) and the encryption parameters (used to secure the channel).Web Browsers have a list of issuers that the user trusts. These issuers (Certificate Authorities) sign the certificate indicating that they believe the subject to be authentic. Thus, if the user trusts the issuer, they implicitly trust the subject. For this reason, certificates should always be signed by issuers who the user is likely to trust. For most users, this means one of the large Certificate Authorities.
You can issue a self-signed certificate, indicating that there is no issuer, which means the user must explicitly choose to trust your certificate. In such cases, a warning dialog is usually displayed to the user. Not all web browsers can use self-signed certificates.
Creating a Self-Signed Certificate
You can create a Self-Signed certificate easily by clicking on New Certificate and choosing the Self-Signed option. The cryptography parameters should be RSA/SHA1 or SHA256/RSA, with a key size of 2048, for greatest acceptability. Android 5.0 and above no longer supports MD5/RSA and will result in a Handshake Fail error during client negotiation.
Creating a Regular Certificate - the Certificate Signing Request
Creating a CA-Signed certificate is more complex. To do this, you must create a CSR (Certificate Signing Request) which you then give to the Certificate Authority for them to authenticate and sign. What they return is the completed certificate.
To do this, simply contact a Certificate Authority and request a new certificate. They will typically ask for a Certificate Signing Request (CSR, or PKCS#10 certificate). Normally they can accept a Base64 encoded CSR.
Where to buy?
There are many Certificate Authorities available - many users report Comodo as having the easiest process.
Creating your CSR
To get this, click on [New Certificate] in the Certificates Manager and follow the Wizard. The default option will create a Certificate Signing Request. Confirm with your vendor any specific requirements for the 'Certificate Subject'. Certificate Cryptography is typically:
Public Key Algorithm: RSA
Signature Algorithm: SHA256/RSA
Key Size: 2048
A CSR will be displayed in Base64 which you can copy and paste into your vendors online purchase form. The Certificate Authority will then begin the process which typically involves contacting you to verify the credentials. Once complete, they will provide somewhere (typically on the web site) where you can download the completed certificate.
Save the certificate provided onto the local machine. You can then use the Import button in the Manager to install it in the system. A Wizard will walk you through the import process. The import process uses the CSR you created earlier which Mailtraq will have stored internally. The imported certificate must match this pending CSR (certificate signing request).
Requiring strong encryption on SMTPS, IMAPS and POP3S
It is not usual to require strong encryption on standard services, as it can greatly restrict access by many clients but Mailtraq supports this option by direct editing of the 'system.cfg' file.
Backup the current Configuration using the Backup tool
Stop the Mailtraq service.
Locate the 'system.cfg' file (Note that this file must not be edited while the Mailtraq service is running)
You can take a copy of this file and place it somewhere safe, to provide an instant replacement if you need to 'step back' due to an error in editing.
Mailtraq must always be stopped when working on the 'system.cfg' file.
The default location is at C:\Program Files\Mailtraq\database\configuration\system.cfg
Open the file with Notepad. Edit with great care: this file is the 'heart' of your Mailtraq!
Use Edit | Find to locate each instance of SslStrong=0
To require strong encryption change the setting to SslStrong=1
Only apply this change to the service instances you actually need as it can prevent 'regular' clients connecting. If you apply it to SMTP on Port 25 Explicit SSL might be used.
Make your changes, and Save the file, and exit.
Start the Mailtraq service.
"0" is default
"1" is strong encryption only.
"2" is RC4 cipher suites only and SHA hashes only.
"1" actually specifically excludes RC4 because it isn't as strong.