Messaging Gateway

 View Only

  • 1.  Brightmail with Multiple Certificates

    Posted Sep 16, 2013 01:01 PM

    Hi,

    We have a messaging gateway 10.0.1 and require a TLS certificate to communicate to some of our customers. Currently we have a self signed cert. A new customer requires that we have a cert issued by a public CA.

    My question is:

    Will adding this extra cert break anything with any of our other customers currently using our self signed cert and can we have a self signed cert and public cert coexist?

    Thanks,

    Crazy Tech



  • 2.  RE: Brightmail with Multiple Certificates

    Broadcom Employee
    Posted Sep 16, 2013 01:41 PM

    As long as you have the certificate set up with a CSR from the Messaging Gateway and the hostname matches the public DNS records for the scanner, it should work very well.



  • 3.  RE: Brightmail with Multiple Certificates

    Posted Sep 16, 2013 02:04 PM

    Thanks for the reply. I'm sorry, but I'm very new to Brightmail. So you're saying the common name in the certificate must match the DNS record for our customer's mail server?



  • 4.  RE: Brightmail with Multiple Certificates
    Best Answer

    Broadcom Employee
    Posted Sep 16, 2013 02:10 PM

    The name needs to match the Messaging Gateway scanner. You are basically buying an ID for your scanner. When other mail servers send it mail, they need to see that the certificate matches what they are reaching out to.

    An example would be that a mail server is trying to send TLS to mail.domain.com. If it reaches out to that hostname and gets a response from scanner2.domain.com and the certificate says mail.domain.com, it's not going to trust that connection becuase the names don't match. The same as if you had a fake ID with a picture of a large bearded man when you are a young woman.



  • 5.  RE: Brightmail with Multiple Certificates

    Posted Sep 16, 2013 02:25 PM

    Ah ok. I think I get it now. Very funny analogy by the way.

    I assume for the new domain that we add to Protocols -> Domains, we should select "Require TLS encryption and verify certificate" under the Delivery tab. All our other domains in there have "Require TLS encryption and don't verify certificate."

    That's why we are under the impression the current cert is self signed. We're having trouble determining if it is or not. There's not much information given under Administration -> Certificates.



  • 6.  RE: Brightmail with Multiple Certificates

    Broadcom Employee
    Posted Sep 16, 2013 03:13 PM

    If you export the certificate, you should be able to open it and view the details, you can view the Issued By field. If it is the name of the appliance, then it is self-signed. Also, in the Certification Path tab, if this just shows the hostname of the scanner, then it is self-signed.



  • 7.  RE: Brightmail with Multiple Certificates

    Posted Sep 16, 2013 03:59 PM

    You're awesome! That's exactly what I needed.

    If I can pick your brain one more time. How can I assign these certs to be used by specific domains or find out what domains are currently using the certs in question?



  • 8.  RE: Brightmail with Multiple Certificates

    Broadcom Employee
    Posted Sep 16, 2013 04:14 PM

    The certificate can only be assigned to the outbound or inbound interfaces, there is no way to make them domain specific.



  • 9.  RE: Brightmail with Multiple Certificates

    Posted Sep 16, 2013 04:41 PM

    Ok. I actually just discovered that. Thank you so much for your help, I really appreciate it.