S/MIME Certificate Profile

S/MIME uses cryptography to digitally sign and encrypt your email during transit. In order to protect your organization emails with S/MIME for NICeMail, you will need an S/MIME certificate associated with your email address. There are certain requirements that each S/MIME certificate chain must meet. 

Your S/MIME certificate is essentially a chain of certificates bundled together. This bundle will be in PKCS#12 format with .p12 or .pfx extension and should contain a minimum of 3 types of certificates:

  • Self-signed root certificate
  • One or more intermediate certificates
  • End entity or leaf certificate - This certificate will help identify the public and private key of the email address associated with the certificate. 

Each certificate in the chain is used to verify the next certificate in the chain.

Certificate requirements

Each type of certificate in the chain is required to satisfy certain requirements to be trusted by NICeMail for S/MIME.

  1. Root certificates
    • Subject Public key info: sha256WithRSAEncryption with an RSA modulus of 2048, 3072, or 4096
  2. Intermediate certificates (One or more) 
    • Version: 3
    • Signature Algorithm: RSA with SHA‐256, SHA‐384, or SHA‐512
    • Subject Public Key Info: sha256WithRSAEncryption with an RSA modulus of 2048, 3072, or 4096
  3. End entity certificate
    • Version: 3
    • Signature Algorithm :  RSA with SHA‐256, SHA‐384, or SHA‐512
    • Subject Public Key Info: sha256WithRSAEncryption with an RSA modulus of 2048, 3072, or 4096
    • Subject DN: Must include the email address
    • Subject Alternative Name: Must contain the email address as an rfc822Name.
    • Extended Key Usage extension: Only id-kp-emailProtection (OID : 1.3.6.1.5.5.7.3.4) should be present
    • CRL Distribution Points extension should be present.
    • Authority Information Access can be optionally present.

PREVIOUS

UP NEXT