How do I identify a mailbox's public certificate/private key file and set certificate import requirements?

Environment:

Mailboxes, Configuring SMIME security settings

Resolution:

The Oracle B2C Service Service mailbox can send S/MIME email using a signature, encryption, or both. To send S/MIME email, the mailbox must be issued a certificate, which includes a public certificate and a private key. The certificate can be obtained from an authorized certification authority and should contain the email address for the mailbox.

A certificate is a digital piece of information for email and Internet security that includes the name of the certification authority, the holder of the certificate, the certificate holder’s public key, the dates the certificate is valid, the serial number, and the digital signature of the certification authority. Certificates are also referred to as public certificates.

A private key is a password-protected key used by the holder to create digital email signatures and decrypt messages that were encrypted using the holder’s associated public key.

A public key is public information that may be attached to email messages to allow those who reply to the message to encrypt their response. However, while technically not a requirement (although some email clients will actually require it) generally you can only encrypt a response if smime is configured in your email client and you send your own public key back to Oracle B2C Service. The public key also verifies that the digital signature was created with the associated private key, thereby ensuring the integrity and authenticity of the message. Public keys are often referred to as public certificates, although certificates hold additional information besides the public key.

S/MIME (Secure / Multipurpose Internet Mail Extensions) Identify the mailbox’s public certificate/private key file and set certificate import requirements.

Note, attachments are converted to text and become part of an email.  Therefore, they have the same security as the email itself.

Locating the Service Mailbox Personal Certificate and Key

The  certificate and key is configured within the service mailbox configured for your site. 

1. From the Service Administration Items, select Communication Configuration > Service Mailboxes.
   
   
2. Double click on the mailbox you need to locate the certificate for in the left panel.
   
   
3. Click the Security tab.
   
   
4. In the S/MIME section is listed the Mailbox personal certificate and key.
   
   
5. Click Browse to locate the file containing the public certificate and private key assigned to the mailbox by the certification authority.
   
   
6. The file you import should be in a password-protected Personal Information Exchange PKCS#12 format, using a .pfx or .p12 file extension. It must also contain the email address of the mailbox exactly as it was entered under the Outgoing Email tab.
   
   
7. When prompted, enter the original password (the password used to encrypt the file) and the new password (the password the private key is to be encrypted with in the Oracle B2C Service database).
   
   
8. The file is not imported until you click to save all mailbox security settings.

Note: S/MIME configuration options are not available on Outreach mailboxes.

Adding and Deleting trusted certification authorities  

Oracle B2C Service uses a predefined list of trusted certification authorities for verifying certificates
from POP3 servers and S/MIME email senders; this list contains well-known root certification
authorities. Depending on your organization’s circumstances, you may want to add
or delete trusted certification authorities.

To add certification authorities:
1.  Click the Common Configuration button on the navigation pane.

2.  Double-click File Manager under System Configuration. The content pane displays the File Manager.

3. Click the Switch To drop-down menu and select Additional Root Certificates.

4. Click the Browse button and select the root certificate file you want to upload. The file should be in DER Encoded Binary X.509 (.cer or .crt) or Base-64 Encoded X.509 (.pem) format.  The Oracle B2C Service application requires that certificates have the correct file extension.  Certificates with an incorrect extension will not be used.

5 Click the Go button to upload the file.

To delete certification authorities:

1. Double-click File Manager under System Configuration. The content pane displays the File Manager.

2. Click the Switch To drop-down menu and select Additional Root Certificates. A list of files you have uploaded is displayed.

3. Click the Delete File button on the line that contains the file you want to delete.

4. Click the OK button when the warning message is displayed to delete the root certificate file.

Adding certificate revocation lists

Certification is used for security purposes in sending and receiving email. Customers who have S/MIME email can send signed emails to any Oracle B2C Service mailbox. Even if the S/MIME capabilities on the Oracle B2C Service mailbox are disabled, reply messages can be encrypted using the customers’ public certificates that are part of their electronic signatures. Customers can then decrypt replies using their private keys.

Oracle B2C Service is configured with a predefined list of trusted certification authorities for verifying certificates from POP3 servers and S/MIME email senders; this list contains well known root certification authorities and is found in the ca.pem file under the .db directory on your server.

Certification authorities regularly publish certificate revocation lists, which you can use to check the validity of certificates.

To add certification revocation lists:

1. From the Common Administration Items, select System Configuration > File Manager. 
   
   
2. Click the Switch To drop-down menu and select Certificate revocation lists.
   
   
3. Select the certificate revocation list file you want to upload. The file should be in a DER Encoded Binary (.crl) format.
   
   
4. Upload the file.

Note: If you upload any lists, the certificate revocation list checking is automatically enabled. As a result, all root certification authority certificates that are used (in either SSL connections or email certificates) must have a corresponding certificate revocation list. If there is no corresponding list, the certification check fails.

For additional information, refer to the 'Email security overview' section in the Online Help User Guide documentation. To access Oracle B2C Service manuals and documentation online, refer to the Documentation for Oracle B2C Service Products.