Support for multiple SMIME certificates from Active Directory

Content

This feature addresses an issue with certificates that have an expiration date on the signing and encryption certificates. Once the certificate that is used for signing or encryption expires, all mails sent that use those certificates are unreadable or unverified. This feature allows MaaS360 users to decrypt and validate old mail using older certificates. MaaS360 includes both the current active certificate and older, expired certificates when it sends the Exchange profile to a device.

In releases prior to 2.93, when the administrator configured an Active Directory certificate template set to S/MIME, the Cloud Extender:

1. Scanned all certificates that matched the S/MIME key usage configured on the certificate template.
2. Located and retrieved the certificate with the expiration date that was the furthest out from expiring.
3. Sent that certificate to the MaaS360 Portal.

In the 2.93 release, when the administrator configures an Active Directory certificate template set to S/MIME, the Cloud Extender:

1. Scans all certificates that match the S/MIME key usage configured on the certificate template.
2. Locates and retrieves the certificate with the expiration date that is the furthest out from expiring and sends that certificate to the MaaS360 Portal as the primary certificate. 
3. Locates and retrieves other certificates that match the S/MIME key usage regardless of expiration date and sends those certificates to the MaaS360 Portal as secondary certificates.

Things to note:

• Valid certificates include all expired certificates.
• Valid certificates do not include certificates that are revoked.
• The Certificate Integration module sends the original certificate in the main payload and additional certificates in a <AdditionalCertificates> tag. The module only sends up additional certificates if the <AdditionalCertificate> tag is in the payload, which is not present in MDM enrollments. SPS policies must be used.