S/MIME certificate types and locations in EMF

Summary:

This technote summarizes the EMF Setup Security page regarding which sections of the page hold what types of certificates. It also briefly discusses these sections relative to the MMSUpgradeDirectory program.

Detailed Information:

The Local Certificates section contains local keys generated (self-signed) by EMF used for SPN Security and Proxy Security, and imported TLS keys; this includes both public key and private key parts...

- the proxy certificates are not visible in the web admin UI

- only the public keys are currently exportable (EMF may allow private export in a future EMF release)

The PGP Keys section (EMF 6.2 and later) holds all EMF-generated PGP root keys, used to sign PGP proxy keys created on the PGP Proxy Security model (similar to the standard S/MIME Proxy model).

The Root Keys section contains public root keys, including all 3rd-party public root keys shipped with EMF.

The S/MIME Certificates (called External Certificates before EMF 6.2) section contains:

- all the external public keys harvested by EMF from remote signatures (from signed mail sent to your site)

- all remote EMF public root keys (from remote EMF installations)

- all intermediate certificates

MMSUpgradeDirectory

A word about the MMSUpgradeDirectory program, used to upgrade an EMF 4.7 installation to EMF 5.x:

- the -k command-line option specifies the 4.7 private key file; this is usually Tumbleweed\MMS\SMIME\wss.key. This file corresponds to the Local Certificates section in 5.x

- the -r command-line option specifies the 4.7 root key file; this is usually Tumbleweed\MMS\SMIME\wss.rut. This file corresponds to the Root Keys section in 5.x

- the external keys, corresponding to the External Certificates section in 5.x, are in the MMS 4.7 SMIME database (MMS\SMIME\WorldSecureSMIME.mdf), are brought over automatically by MMSUpgradeDirectory, and don't require a command-line option. You need to ensure that the account under which you run the MMSUpgradeDirectory program on the 5.x box is defined as a local admin (with the same password) on the 4.7 box, and is therefore in the 4.7 SQL BUILTIN\Administrators group

Additional Information:

For more information on EMF Security settings, see the EMF Administrator Guide.

For more information on MMSUpgradeDirectory, see the Tumbleweed document Upgradingto50.pdf.

Both documents can be requested from Tumbleweed Support.