TIPS & BEST PRACTICE 30. JUN 2022
When can I use domain certificates for email encryption?
Time and again, we get questions about using domain certificates for email encryption. We want to shed some clarification on the subject.
Gateway certificate for email encryption
Domain certificates, also called gateway certificates or organization certificates, are usually issued in the name of a company or organization – a legal person, in other words. A user or personal certificate, on the other hand, is always assigned to a natural person. There is no technical difference between the two types of certificates.
(For general principles on certificates, see our White Paper “Secure email in times of rising mobile communication.”)
One might now assume that a company with 500 employees and a central email gateway could simply use a domain certificate for email encryption instead of 500 personal certificates. At first glance, this sounds efficient and compelling from a cost point of view. In practice, however, the use of domain certificates is often problematic.
S/MIME domain certificates can trigger error messages when encrypting and signing
Some mail programs – such as MS Outlook – and webmail providers can’t process S/MIME domain certificates. Let’s deconstruct this. During encryption, the certificate gets validated, and the email address is checked and matched with the recipient’s email address. However, a domain certificate only contains a central email address, not a personal one. So, for this reason, mail programs reject encryption with domain certificates; the certificate is not considered valid for the recipient’s address.
Similarly, problems can also occur during signature validation when a sender uses a domain certificate for signing and the sender’s email address and certificate email address do not match. All of this causes the communication partner unnecessary hassle, effort, and wasted time finding a solution to the problem.
Domain encryption: S/MIME domain certificates are a great choice for gateway-to-gateway encryption
The use of domain certificates is always recommended if the remote peer also uses a gateway for encryption and signing. However, both communication partners should agree on working with domain certificates and configure their email gateways accordingly.
If both the sender and recipient use a Z1 SecureMail Gateway, domain encryption takes effect, meaning domain certificates are automatically recognized and used. If gateways from other manufacturers publish their domain certificates on the Z1 Global TrustPoint certificate portal, domain encryption is also fully automatic.
We recommend using user certificates if none or only some of your communication partners have an encryption gateway. With Z1 SecureMail Gateway, you can use both domain certificates and user certificates in parallel. The gateway automatically detects when to use which certificate.
One-stop-shop: Get domain certificates and user certificates in a package with Z1 SecureMail Gateway through Zertificon
We simplify the procurement of both user certificates and domain certificates for you. With Zertificon, you can purchase them automatically and directly through the Z1 SecureMail Gateway. We have partnerships with several Trust Centers, that’s why we can procure the certificates under special conditions and, therefore, offer you highly favorable prices. Unlike other gateway providers, we handle the commercial order processing of email certificates ourselves. That way, you only have to contact us, and you will receive everything you need for secure email communication. Get in touch!
Domain certificates are no longer generally recommended for OpenPGP
Until the beginning of 2021, it was very easy to work with an OpenPGP domain key for all communication when using the OpenPGP standard in conjunction with a gateway. However, due to recent developments in key validation in mail programs, we have received reports of increasing problems for OpenPGP validation. Due to the address matching of the key entry and the recipient or sender address, which does not match for domain keys, the same error message can occur, as explained above in the text for S/MIME certificates. This error message does not happen if both sides use a gateway. In the same way as S/MIME, Z1 SecureMail Gateway manages your OpenPGP keys for domains just as it does for users.
Therefore, we recommend using separate employee keys in addition to the domain key, even when using OpenPGP. You can also automate this process with Z1 SecureMail Gateway. The usage of OpenPGP user keys (basic settings) only needs to be configured once. A key pair is generated and managed automatically with each new employee.
Z1 SecureMail Gateway also provides a simple solution for key distribution. Newly issued own keys can be automatically published on the Z1 Global TrustPoint and are thus available to everyone. Working with user keys is not much more complex with Zertificon’s solutions than with a central PGP email domain key. And unlike purchased S/MIME certificates, issuing individual OpenPGP keys is not a cost factor.