SwissSign Managed PKI and Secure Mail

In the managed PKI setup, the customer has full control over who can or cannot obtain a certificate and what the contents of this certificate is going to be. To execute this control, the customer must operate a registration authority (RA) and this can either be done through the SwissSign Web interface, through a secure mail server or through a dedicated CMS (card management system). The decision, which solution is optimal, usually depends on the size of the organization:

 

For smaller installations it is possible to obtain certificates through a Web Interface and install them in the Mail Clients of the end users. This process is time consuming and cannot be automated very easily. Additionally the end users need to be trained to use the new technology correctly and effectively.

 

For medium sized installations the use of a secure mail server is recommended. Such servers are able to automatically obtain and manage certificates from the SwissSign CA through their internal user management. The benefits of having such a server are manifold. Secure mail servers are rule based and they can enforce the security policy of the company. Because the internal mail system remains unchanged and the need for end user training is minimal. Setups like mail groups, deputies, mail forwarders and vacation delegation continue to work without changes. The secure mail server ensures that all data in the regular mail server is unencrypted and therefore remains under the full control of the organization (backup, archive, anti-virus scanner,…).

 

For large installations the integration of secure mail server and internal user management can be automated. Using Active Directory integration it is possible to control the secure mail server and the certificate management by managing user accounts in the AD (Active Directory). This removes the need for duplicating user data in the secure mail server and the AD. All the other benefits of the solution remain the same.