Changing the list of Certificate Stores used by TLS


This article applies to:

  • Trustwave SEG 7.1 and above
  • TLS validation of client certificates
  • Note: The Registry setting is not currently available in MailMarshal (SEG) 10.X

Question:

  • What Windows Certificate Stores does SEG TLS check?
  • How can I adjust the list of Certificate Stores that MailMarshal uses to validate TLS client certificates?

Procedure:

When checking for certificate trust, SEG uses the Windows certificate stores for the Local Computer on each processing node.

By default, SEG checks the following Certificate Stores:

  • Trusted Root Certification Authorities
  • Trusted People
  • Intermediate Certification Authorities

Note: You must ensure that any certificates to be trusted, or used in validating trust, are loaded in the appropriate store on each node.

  • For Inbound TLS, see the Rule Condition Where the negotiated TLS parameters match criteria
  • You can trust a self-signed certificate by placing it in the Trusted People store
  • You can add certificates to the Root and Intermediate Certification Authorities stores, if necessary, to allow CA issued certificates to be validated.

The default setting is normally adequate and will not need change.

However, if you have specific local requirements, you can adjust the list of stores that MailMarshal uses by setting a Registry entry.

  • Warning: The list you set in the Registry entry replaces the default list.
    • If you want to add to the default list, you must include the default values as well as your additional values.

On the SEG Array Manager server, run Regedit.

  1. Navigate to the SEG registry key:
    8.X: HKey_Local_Machine\Software\Trustwave\Secure Email Gateway\Default
    • For full details of the location for each version, see article Q10832.
    • This setting is not currently available in MailMarshal (SEG) 10.X.
  2. Add or edit the following Multi-String value (REG_MULTI_SZ): LocalSystemCertStores
    • In the data entry window, add a list of store names, one per line.
    • The default list (if entered explicitly) would appear as shown below:

  3. To apply the change, commit configuration. Changes will apply to all nodes.

To revert to the default setting, delete the multi-string value LocalSystemCertStores (or delete all values so that it is completely empty).

You can verify that the setting is applied on each node by checking the Receiver text logs. When Inbound TLS is enabled, and the above Registry key is in place, these logs will include a line similar to the following when configuration is reloaded:

TLS certificate store names configured in the registry. Using: Root, TrustedPeople, CA

Important Notes:

  • The data you enter is not validated. Make sure you enter correct names.

  • The store names you enter must match the internal names of these certificate stores.
    • These names are NOT the same as the friendly names shown in the MMC Certificate Snap-In.
    • To find a list of names of the stores available for the Local Computer on a specific server, you can use Powershell to view the Cert: "drive." You can also find a list of sub-key names in the following Registry key:
      HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates
  • As always, take due care when editing the Registry. Trustwave recommends that you make a backup before applying any changes.

 

Last Modified 4/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle14646.aspx