Page Comparison

...

• use-case: send signed e-mails from IDM

• configured in this application:

  • Identity Manager Operator

• storage: pkcs12, HSM (recommended)

• versioning: supported, but unnecessary

• supported algorithm values:

  • for RSA keys only

    • SHA256withRSA  

    • SHA384withRSA

    • SHA512withRSA

  • for ECC keys only

    • SHA256withECDSA

    • SHA384withECDSA

    • SHA512withECDSA

• general requirements:

  • placeholders allowed only if email signing is not used

    • e-mail verification will fail if not issued by a trusted S/MIME CA

    • integrity of e-mails sent by IDM may be at risk if placeholder key is used

• key requirements:

  • supported types:

    • RSA 2048

    • RSA 3072

    • RSA 4096

    • ECC NIST P-256

    • ECC NIST P-384

    • ECC NIST P-521

• certificate requirements:

  • proper S/MIME certificate with configured IDM e-mail sender address in DN's E field and/or SAN RFC-822 entry

    • if subject DN email field is absent, SAN extension must be critical!

    • IDM up to 23.10.x only accepted SAN and ignoreed ignored DN.E (fixed in IDM 24.R1)

  • must not be self-signed!

  • key usage: if present, must be critical and at least either digitalSignature or nonRepudiation

  • validity: adhering to CAB-Forum requirements from https://cabforum.org/working-groups/smime/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods (825 days max. at the time of writing)

...