On the Encryption > S/MIME Authorities tab you can manage certificate authorities (CA) for email encryption. In addition to pre-installed CAs, you can upload certificates of external certificate authorities. All incoming emails whose certificates are signed by one of the CAs listed and enabled here will be trusted automatically.
Note – If you have selected the Enable automatic S/MIME certificate extraction option on the Email Protection > Encryption > Options tab, certificates signed by a CA listed and enabled here will be extracted automatically and placed on the Email Protection > Encryption > S/MIME Certificates tab.
Local S/MIME Authorities
You can import the certificate (i.e., the public key) of an external certification authority you trust. That way, all incoming emails whose certificates were signed by this CA will be trusted, too. For example, you can install the CA of another Sophos UTM on AWS unit, thus enabling transparent email encryption between two Sophos UTM on AWS units.
To import an external S/MIME authority certificate, proceed as follows:
Click the Folder icon next to the Upload local authority field.
The Upload File dialog window opens.
Select the certificate to upload.
Click Browse and select the CA certificate to upload. The following certificate extensions are supported:
- cer, crt, or der: These certificate types are binary and basically the same.
- pem: Base64 encoded DER certificates.
Upload the certificate.
Click Start Upload to upload the selected CA certificate.
The certificate will be installed and displayed in the Local S/MIME Authorities area.
You can delete or disable an S/MIME authority certificate if you do not regard the CA as trustworthy. To revoke an S/MIME authority's certificate click its toggle switch. The toggle switch turns gray and the SMTP proxy will no longer accept mails signed by this S/MIME authority. To delete a certificate, click the Empty icon.
Global S/MIME Authorities
The list of S/MIME CAs shown here is identical to the S/MIME CAs pre-installed by Mozilla Firefox. This facilitates email encryption between your company and your communication partners who maintain a PKI based on those CAs. However, you can disable an S/MIME authority certificate if you do not regard the CA as trustworthy. To revoke an S/MIME authority's certificate click its toggle switch. The toggle switch turns gray and the SMTP proxy will no longer accept mails signed by this S/MIME authority.
The following links point to URLs of notable root certificates: