CA Certificates for Commercial Email Services April 2014 Contents Abstract .............................................................................................. 2 Notable CA Certificates...................................................................... 2 Certificates and Certificate Authorities (CA) ........................................ 2 Obtaining CA Certificates ..................................................................
Abstract Digital Sending features that use eMail servers should use an SSL-encrypted connection. When working with commercially provided services such as Gmail, Office365, Yahoo, or even with Enterprise services, SSL should be properly configured with the correct Certificate Authority (CA) certificates. This bulletin gives guidance on obtaining the proper CA certificate.
For most users, CA Certificates are invisible since they are pre-installed into browsers and operating systems. In contrast, specialized printers such as HP Multifunction Printers (MFPs) do not have certificates preloaded and the proper CA certificates must be installed before such printers can correctly validate a server.
Obtaining CA Certificates There are a number of ways to obtain the correct CA Certificate. 1) Request the CA Certificate from the administrator of the server. 2) After identifying the Certificate Authority, request the certificate directly from the Certificate Authority. 3) After identifying the Certificate Authority, search for the CA Certificate in the certificate repository of a trusted operating system or browser. 4) Use an online tool such as https://ssl-tools.net .
Figure 1: Check your mail servers encryption 3) In the SSL check results page, click the certificate for the server. Note: Make sure to select the correct certificate for the server as one or more servers will be displayed, along with their CA certificates.
4) In the Certificates details page, click on the Root CA certificate or self-signed certificate (Certificate is self-signed), the last certificate in the Certificate chain. Figure 3: Certificate chain 5) On the DigiCert High Assurance EV Root CA page, select the self-signed certificate and download the PEM format. The PEM format is the certificate required to validate the SMTP server.
Appendix 1: Installing a CA certificate into a LaserJet with Jetdirect networking Note: Certificate Management will be revised in mid-2015. This section will no longer apply for the newer firmware releases. After identifying and obtaining the CA certificate for your email service, the certificate should be installed into your HP LaserJet printer using the EWS interface.
4) In the Certificate Options section, make sure that the Install CA certificates is enabled and then click Next. Figure 6: Certificate options 5) In the Install CA Certificate section, click Browse, select the certificate from your PC, and then click Finish. Note: If the certificate is an Intermediate certificate, check the “Allow Intermediate CA” checkbox. An intermediate CA certificate is a CA certificate in which the Subject and Issuer are not the same.
Appendix 2: Certificate Validation A certificate, whether CA or Identity, consists of a number of plain text fields that are userreadable, and a few mathematical items that are readable, but nonsensical to normal users. This document provides information about the Subject and Issuer fields; the Valid from and Valid to fields are of secondary interest. It will also provide information of the Public Key and the Private Key mathematical encryption objects.
This certificate was issued by Sample Root Certificate Authority to smtp.sample.com. A CA Certificate is essentially the same as an identity certificate, with Subject and Issuer fields having the same significance. A sample CA certificate is shown below: Figure 9: Certificate Details – Issuer and Subject fields The Subject of this certificate is Sample Root Certificate Authority, the organization to which the certificate was issued and that will use the certificate.
anything encrypted by the public key can only be decrypted by the private key, and b) anything encrypted by the private key can only be decrypted by the public key. The public/private key pair provides the key elements for the validation of an identity certificate by a CA certificate. When a CA issues a certificate, it encrypts all the certificate information with its private key and attaches the encrypted version to the unencrypted information.
Appendix 3: Certificate Chaining When used in the real world, Certificate Authorities delegate the signing of certificates to other Certificate Authorities. Each such intermediate (or subordinate) Certificate Authority uses a certificate issued by the root CA (or an intermediate) to sign and issue certificates. In the real world, certificates form a chain between the identity certificate presented by the end-entity and the root CA certificate.
C) The certificate was issued by Equifax Secure Certificate Authority, which is self-signed, i.e. signed as well as issued by Equifax Secure Certificate Authority. Equifax Secure Certificate Authority takes the role of both issuer and subject because it is a Root certificate authority, a certificate authority that is the root of trust. Figure 12: Equifax Secure Certificate Authority in Subject field © 2015 Hewlett-Packard Development Company, L.P.
