2

At my company, we have short mail addresses for convenience, but they collide now that the company gets bigger. For new employees, we only make new longer mail addresses to avoid this.

However, to migrate the old short ones to the longer new ones, I would like to generate certificates for both mail addresses at once, so the older employees would be able to use both their mail addresses. Is this possible with a single certificate or do I need to generate two? Both mail addresses belong to the same person and are forwarded to the same mailbox.

Since I found nothing at Google, I wonder if this is the right approach. Is something like this usually handled by the mail server somehow? (We use Office365.)

sinned
  • 473
  • 2
  • 6
  • 15

2 Answers2

2

S/MIME certificates validate the address the email is sent from, so you only need to be concerned with additional addresses if employees will send email from them. E.g. if "Bob Anderson" receives mail at bob@example.com and bob.anderson@example.com but only sends mail from bob.anderson@example.com, then he only needs the bob.anderson@example.com address in his S/MIME certificate.

If your users will send email from multiple addresses, however, there's still a solution: the subjectAlternativeName (SAN) extension. The SAN extension is commonly used to secure multiple hostnames in SSL/TLS web server certificates (e.g. both www.example.com and example.com), but can be used for email addresses as well.

That said, I'd recommend you check client compatibility as likely not all S/MIME-capable email clients support the SAN extension. If you make sure you don't mark the extension as critical, email clients not supporting the SAN extension should simply ignore it (x.509 standards require rejection of any not-understood critical extensions). In a quick search, I wasn't able to determine if Office365 supported the SAN extension for S/MIME certificates (though it does for server certificates), but I'd be surprised if it didn't.

Calrion
  • 570
  • 2
  • 11
  • 1
    Ok, observations: OpenSSL-side it was quite easy. Just add some extension http://apetec.com/support/GenerateSAN-CSR.htm , the field names are email.1, email.2 and so on. Outlook-wise, I could use the certificate (import to windows, configure in outlook, upload to GAL) to sign and encrypt mails from the primary mail address. However, when I sent mails from the SAN-Address, it worked after some errors (http://blog.groundx.se/error-0x80070005-00000000-00000000-outlook-2013/) but the recipient only saw the primary-mail address in the From:-field (mail header). Outlook said 'signed by '. – sinned Jan 31 '14 at 13:59
  • Hmm. You could possible get better results by fiddling with the certificate's subject values; Outlook will use the values within the subject to figure out what to print in the 'signed by XXX' string; I'd look first to the common name, then probably the description, you might even try not including an email value in the subject (just leaving it to the SAN). I'm a Mac/UIX guy though, so can't help you with any details there. Hang in there, though, a good S/MIME implementation is tricky! – Calrion Feb 01 '14 at 06:29
0

Put this in your smime.cfg

subjectAltName=@alt_names

[alt_names]
email.1 = tom@test.de
email.2 = tom@test.com
Ray Hulha
  • 101
  • 3