Multiple S/MIME certificate support in Active Directory

If a certificate that is used for signing or encryption expires, all mails sent that use those certificates are unreadable or unverified. MaaS360® users can now decrypt and validate old mail that uses older certificates. MaaS360 includes both the current active certificate and older, expired certificates when it sends the Exchange profile to a device.

Note: This feature is supported by Cloud Extender® 2.93 and later.

Cloud Extender 2.92 and earlier

In releases prior to Cloud Extender 2.93, when the administrator configured an Active Directory certificate template set to S/MIME, the Cloud Extender took the following actions:

  1. Scanned all certificates that matched the S/MIME key usage that is configured on the certificate template.
  2. Located and retrieved the certificate with the expiration date that was the furthest out from expiring.
  3. Sent that certificate to the MaaS360 Portal.

Cloud Extender 2.93 and later

In the Cloud Extender 2.93 release, when the administrator configures an Active Directory certificate template set to S/MIME, the Cloud Extender takes the following actions:

  1. Scans all certificates that match the S/MIME key usage that is configured on the certificate template.
  2. Locates and retrieves the certificate with the expiration date that is the furthest out from expiring and sends that certificate to the MaaS360 Portal as the primary certificate.
  3. Locates and retrieves other certificates that match the S/MIME key usage regardless of expiration date and sends those certificates to the MaaS360 Portal as secondary certificates.
Things to note:
  • Valid certificates include all expired certificates.
  • Valid certificates do not include certificates that are revoked.
  • The Certificate Integration module sends the original certificate in the main payload and additional certificates in a <AdditionalCertificates> tag. The module sends up additional certificates only if the <AdditionalCertificate> tag is in the payload, which is not present in MDM enrollments. SPS policies must be used.