In this article, we will explain how GlobalCerts' email encryption solutions can also work to allow you to automatically encrypt emails via S/MIME to 3rd parties that have an email certificate. We will also show how 3rd parties can encrypt emails to your users via S/MIME, even though they do not use GlobalCerts.
Certificate Harvesting
The SecureMail Gateway is configured to automatically detect any digitally signed emails coming in to your organization, and pull out or 'harvest' the sender's public certificate. This is very useful because if the sender signed the email with a trusted and unexpired X.509 certificate, it can be extracted and then used by the SMG to automatically encrypt outbound emails to that recipient via S/MIME encryption. This way, the recipient will receive the encrypted message directly to their inbox account, rather than needing to utilize the SecureMessenger web portal to authenticate and read the message.
All harvested certificates are listed in the SMG's web adminstration under the 'Certificates' -> 'User Trust' menu sub-item. This page displays a list of all harvested user certificates, and their status (trusted, untrusted, rejected). If the certificate harvested is signed by a trusted Certificate Authority that exists in our system, then the certificate is automatically trusted. Otherwise, you can explicitly trust a certificate, even a self-signed one, by clicking on the checkbox next to it and clicking 'Trust' at the bottom.
Allowing Other Encryption Solutions To Send You Encrypted Emails
Similarly, 3rd party email users with S/MIME encryption capabilities can use GlobalCerts users' public certificates to send encrypted messages. First, the SMG user must send a digitally signed email to the other party. This can easily be accomplished by tagging the message with [sign] in the subject line, including the brackets. The SMG will then automatically intercept the message and digitally sign it with the user's private key, and also attach the public certificate(s) to the email. This signature is included as a standard PKCS attachment called 'smime.p7s'.
On the recipients side, their email gateway or email client can then view the signature, pull out the public certificate, and then import it into various certificate stores for later use to send S/MIME encrypted emails back to you. The SecureMail Gateway will then automatically detect the encrypted email and use the user's private key for decryption, and send it directly to the user's inbox.
Note: The GlobalCerts signatures will NOT be implicitly trusted by 3rd parties because the GlobalCerts root CA is not implicitly trusted. In order to remove any warnings, the other user may wish to import the intermediate and GlobalCerts root CA (also attached in the signature) and explicitly trust them.