This article applies to:

• Trustwave MailMarshal (SEG)
• TLS validation of client certificates

Question:

• What Windows Certificate Stores does SEG TLS check?
• How can I adjust the list of Certificate Stores that MailMarshal uses to validate TLS client certificates?

Procedure:

When checking for certificate trust, SEG uses the Windows certificate stores for the Local Computer on each processing node.

By default, SEG checks the following Certificate Stores:

• Trusted Root Certification Authorities
• Trusted People
• Intermediate Certification Authorities

Note: You must ensure that any certificates to be trusted, or used in validating trust, are loaded in the appropriate store on each node.

• For Inbound TLS, see the Rule Condition Where the negotiated TLS parameters match criteria
• You can trust a self-signed certificate by placing it in the Trusted People store
• You can add certificates to the Root and Intermediate Certification Authorities stores, if necessary, to allow CA issued certificates to be validated.

The default setting is normally adequate and will not need change.

However, if you have specific local requirements, you can adjust the list of stores that MailMarshal uses with an Advanced Setting or Registry entry.

• Warning: The list you enter replaces the default list.
  • If you want to add to the default list, you must include the default values as well as your additional values.

• In MailMarshal 10.0 and above, open the Management Console and navigate to Advanced Settings. Add a new value:
  • Name: LocalSystemCertStores 
  • Type: Multi-string
  • Value: A list of store names, one per line
• In MailMarshal 8.X and below, open the Registry Editor on the Array Manager. Within the base registry key, navigate to \Default
  • In version 8.X: HKEY_LOCAL_MACHINE\SOFTWARE\Trustwave\Secure Email Gateway\Default
  • For information about the registry location for each version, see article Q10832.
  • Add a  REG_MULTI_SZ value LocalSystemCertStores 
    • In the data entry window, add a list of store names, one per line.
    • The default list (if entered explicitly) would appear as shown below:
      
• Save your registry settings or configuration settings.
• Commit the configuration changes and restart the MailMarshal Sender service on each node.

To revert to the default setting, delete the multi-string value LocalSystemCertStores 

You can verify that the setting is applied on each node by checking the Receiver (Inbound TLS) or Sender (Outbound TLS) text logs. When TLS is enabled for the service, and the setting is in place, these logs will include a line similar to the following when configuration is reloaded:

TLS certificate store names configured in the registry. Using: Root, TrustedPeople, CA

Important Notes:

• The data you enter is not validated. Make sure you enter correct names.

• The store names you enter must match the internal names of these certificate stores.
  • These names are NOT the same as the friendly names shown in the MMC Certificate Snap-In.
  • To find a list of names of the stores available for the Local Computer on a specific server, you can use Powershell to view the Cert: "drive." You can also find a list of sub-key names in the following Registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
• As always, take due care when editing the Registry. Trustwave recommends that you make a backup before applying any changes.