Managing authority certificates and recovery certificates in SDMC

Using SDS Enterprise requires the use of encryption and signature keys. In addition, the keys must be certified by trusted certification authorities.

Requirements
You must have your own infrastructure to generate encryption and signature keys for the users in the company. You can then distribute them to users in whatever method you choose, for example via smart cards.

SDMC makes it possible to declare the certification authorities that issued certificates containing your users' identities and public keys. These authorities are therefore considered trustworthy.

To do so, you must import the certificates from all authorities in the certificate library, then use them in your security policies.

SDMC also makes it possible to import recovery certificates, which are necessary when users lose their encryption keys. For more information, see the section Enabling data recovery.

Certificates are distributed to users via LDAP directories and added automatically to their trusted address book. For more information, refer to the section Managing LDAP directories in SDMC.

The following certificate formats are supported:

  • .cer

  • .cert

  • .crt

  • .der

  • .pem

If several certificates are available for the same user (in the trusted address book or in an LDAP directory), SDS Enterprise automatically selects the valid certificate with the most recent validity start date.

If the e-mail address of a user changes (e.g., change in marital or employment status), this user's certificate must be renewed (with a publication in the LDAP directory, if necessary) so that their e-mail address is the same as the one on their certificate(s). If this is not the case, other users will no longer be able to send secured messages, or encrypt files or folder for any user whose e-mail address has changed.

Keys generated by your infrastructure must comply with the following PKCS#11 attributes:

  • Private key:
    • CKA_DECRYPT
    • CKA_SIGN
    • CKA_SIGN_RECOVER
    • CKA_UNWRAP
  • Public key:
    • CKA_ENCRYPT
    • CKA_VERIFY
    • CKA_VERIFY_RECOVER
    • CKA_WRAP

  1. Select the Certificate library menu on the left.

  2. Click on Import at the top on the right.

  3. Select the file and certificate type and import it.

The list of certificates shows their names, type, the security policies in which they are used and their expiry date.

After you have imported the certificates of the certification authorities that you consider trustworthy, and recovery certificates, you can use them in your security policies. See section Creating a policy.

  • In the Certificate library menu on the left, click on a certificate's possible actions on certificates icon to choose one of three actions.