Video Screencast Help

Brightmail with Multiple Certificates

Created: 16 Sep 2013 • Updated: 16 Sep 2013 | 8 comments
This issue has been solved. See solution.

Hi,

We have a messaging gateway 10.0.1 and require a TLS certificate to communicate to some of our customers. Currently we have a self signed cert. A new customer requires that we have a cert issued by a public CA.

My question is:

Will adding this extra cert break anything with any of our other customers currently using our self signed cert and can we have a self signed cert and public cert coexist?

Thanks,

Crazy Tech

Operating Systems:

Comments 8 CommentsJump to latest comment

TSE-JDavis's picture

As long as you have the certificate set up with a CSR from the Messaging Gateway and the hostname matches the public DNS records for the scanner, it should work very well.

Crazy Tech's picture

Thanks for the reply. I'm sorry, but I'm very new to Brightmail. So you're saying the common name in the certificate must match the DNS record for our customer's mail server?

TSE-JDavis's picture

The name needs to match the Messaging Gateway scanner. You are basically buying an ID for your scanner. When other mail servers send it mail, they need to see that the certificate matches what they are reaching out to.

An example would be that a mail server is trying to send TLS to mail.domain.com. If it reaches out to that hostname and gets a response from scanner2.domain.com and the certificate says mail.domain.com, it's not going to trust that connection becuase the names don't match. The same as if you had a fake ID with a picture of a large bearded man when you are a young woman.

SOLUTION
Crazy Tech's picture

Ah ok. I think I get it now. Very funny analogy by the way.

I assume for the new domain that we add to Protocols -> Domains, we should select "Require TLS encryption and verify certificate" under the Delivery tab. All our other domains in there have "Require TLS encryption and don't verify certificate."

That's why we are under the impression the current cert is self signed. We're having trouble determining if it is or not. There's not much information given under Administration -> Certificates.

TSE-JDavis's picture

If you export the certificate, you should be able to open it and view the details, you can view the Issued By field. If it is the name of the appliance, then it is self-signed. Also, in the Certification Path tab, if this just shows the hostname of the scanner, then it is self-signed.

Crazy Tech's picture

You're awesome! That's exactly what I needed.

If I can pick your brain one more time. How can I assign these certs to be used by specific domains or find out what domains are currently using the certs in question?

TSE-JDavis's picture

The certificate can only be assigned to the outbound or inbound interfaces, there is no way to make them domain specific.

Crazy Tech's picture

Ok. I actually just discovered that. Thank you so much for your help, I really appreciate it.