Multiple S/MIME certificate support in Active Directory
If a certificate that is used for signing or encryption expires, all mails sent that use those certificates are unreadable or unverified. MaaS360® users can now decrypt and validate old mail that uses older certificates. MaaS360 includes both the current active certificate and older, expired certificates when it sends the Exchange profile to a device.
Note: This feature is supported by Cloud Extender® 2.93 and later.
Cloud Extender 2.92 and earlier
In releases prior to Cloud Extender 2.93, when the administrator configured an Active Directory certificate template set to S/MIME, the Cloud Extender took the following actions:
- Scanned all certificates that matched the S/MIME key usage that is configured on the certificate template.
- Located and retrieved the certificate with the expiration date that was the furthest out from expiring.
- Sent that certificate to the MaaS360 Portal.
Cloud Extender 2.93 and later
In the Cloud Extender 2.93 release, when the administrator configures an Active Directory certificate template set to S/MIME, the Cloud Extender takes the following actions:
- Scans all certificates that match the S/MIME key usage that is configured on the certificate template.
- Locates and retrieves the certificate with the expiration date that is the furthest out from expiring and sends that certificate to the MaaS360 Portal as the primary certificate.
- Locates and retrieves other certificates that match the S/MIME key usage regardless of expiration date and sends those certificates to the MaaS360 Portal as secondary certificates.
- Valid certificates include all expired certificates.
- Valid certificates do not include certificates that are revoked.
- The Certificate Integration module sends the original certificate in the main payload and additional certificates in a <AdditionalCertificates> tag. The module sends up additional certificates only if the <AdditionalCertificate> tag is in the payload, which is not present in MDM enrollments. SPS policies must be used.