S/MIME Authorities

On the Encryption > S/MIME Authorities tab you can manage certificate authorities (CA) for email encryption. In addition to pre-installed CAs, you can upload certificates of external certificate authorities. All incoming emails whose certificates are signed by one of the CAs listed and enabled here will be trusted automatically.

Note – If you have selected the Enable automatic S/MIME certificate extraction option on the Email Protection > Encryption > Options tab, certificates signed by a CA listed and enabled here will be extracted automatically and placed on the Email Protection > Encryption > S/MIME Certificates tab.

Local S/MIME Authorities

You can import the certificate (i.e., the public key) of an external certification authority you trust. That way, all incoming emails whose certificates were signed by this CA will be trusted, too. For example, you can install the CA of another Sophos UTM unit, thus enabling transparent email encryption between two Sophos UTM units.

To import an external S/MIMEClosed Secure/Multipurpose Internet Mail Extensions authority certificate, proceed as follows:

  1. Click the Folder icon next to the Upload local authority field.

    The Upload File dialog window opens.

  2. Select the certificate to upload.

    Click Browse and select the CA certificate to upload. The following certificate extensions are supported:

    • cer, crt, or der: These certificate types are binary and basically the same.
    • pem: Base64 encoded DER certificates.

  3. Upload the certificate.

    Click Start Upload to upload the selected CA certificate.

    The certificate will be installed and displayed in the Local S/MIME Authorities area.

You can delete or disable an S/MIME authority certificate if you do not regard the CA as trustworthy. To revoke an S/MIME authority's certificate click its toggle switch. The toggle switch turns gray and the SMTP proxy will no longer accept mails signed by this S/MIME authority. To delete a certificate, click the Empty icon.

Tip – Click the blue Info icon to see the fingerprint of a CA.

Global S/MIME Authorities

The list of S/MIME CAs shown here is identical to the S/MIME CAs pre-installed by Mozilla Firefox. This facilitates email encryption between your company and your communication partners who maintain a PKIClosed Public Key Infrastructure based on those CAs. However, you can disable an S/MIME authority certificate if you do not regard the CA as trustworthy. To revoke an S/MIME authority's certificate click its toggle switch. The toggle switch turns gray and the SMTP proxy will no longer accept mails signed by this S/MIME authority.

The following links point to URLClosed Uniform Resource Locators of notable root certificates: