Main section
Third-party applications for automatic certificates (CMC interface)
Using the CMC interface on the new SwissSign CA platform requires the adjustment of certain parameters in third-party applications (email gateways or certificate lifecycle management systems) provided by SwissSign partners in order to continue benefiting from automatic certificate issuance.
Below, you will find instructions for how to change the required parameters in the most commonly used third-party applications.
Partner solution guides
Clearswift Secure Email Gateway
As the server URL cannot be changed, there will be a firmware update of the Clearswift Secure Email Gateway in May 2023. Please install this update and check this page again in May.
Compumatica
Update your CompuMail Gateway to the latest version from 08.05.2023.
Then open the CompuMail Gateway Web Management and enter the new URL (https://cmc.swisssign.ch/ws/cmc) and the new product name in the settings of the SwissSign PKI.
| Old product name | New product name |
| *-perso-silver-emailonly | SwissSign Personal S/MIME E-Mail ID Silver |
| *-perso-org-gold | SwissSign Pro S/MIME E-Mail ID Gold |
| *-perso-org-gold-rsassapss | SwissSign Pro S/MIME E-Mail ID Gold RSASSA-PSS |
| *-perso-org-gold-auth | SwissSign Pro S/MIME E-Mail ID Gold with Auth. |
essendi xc
Adapt CA configuration (one configuration must be created for each MPKI / client):
- Create new CA configuration → Select Future CA
- URL: https://api.ra.swisssign.ch/v2 (production)
- Service account: MPKIXXXXX.AutoRAO (in the mpki under "My account" > "Service API keys")
- API-Key: <apikey> (in the mpki under "My Account" > "Service API Keys")
- Products are loaded automatically
Revise SwissSign profiles:
- Select new CA
- Select correct product
- General e-mail address for messages
Keyon true-Xtender
Registration Authority
- Update to keyon true-Xtender Registration Authority version 3.7.3.
- Change the Service URL:
Old: https://ra.swisssign.net/ws/cmc
New: https://cmc.swisssign.ch/ws/cmc
Autoenroll PKI
- Change the Service URL in web.config, setting SwissSign_2_BaseUrl:
Old: https://ra.swisssign.net/ws/cmc
New: https://cmc.swisssign.ch/ws/cmc - In Policy.config (C:\Program Files\keyon\Autoenroll-PKI\WebApp\Policy.config)
for the template that is configured for the certificate profile (in the Web-GUI under Administration, Certificate Profiles, setting "Template Key") make sure, these values are set:
signingHashAlgorithm="SHA256"
signingHashAlgorithmOID="2.16.840.1.101.3.4.2.1"
NoSpamProxy
With the current version 14.0.5, NoSpamProxy supports the new SwissSign PKI. After the update, customers have to add the SwissSign connector again with the same settings, the new server URL will then be used automatically.
SEPPmail
Replace the service URL in the SEPPmail settings.
- Old: https://ra.swisssign.net/ws/cmc
- New: https://cmc.swisssign.ch/ws/cmc
Replace the complete old product name (including short name) with the new product name in the SEPPmail settings.
| Old product name | New product name |
|---|---|
| *-perso-silver-emailonly | SwissSign Personal S/MIME E-Mail ID Silver |
| *-perso-org-gold | SwissSign Pro S/MIME E-Mail ID Gold |
| *-perso-org-gold-rsassapss | SwissSign Pro S/MIME E-Mail ID Gold RSASSA-PSS |
| *-perso-org-gold-auth | SwissSign Pro S/MIME E-Mail ID Gold with Auth. |
SX-MailCrypt
Replace the service URL in the SX-MailCrypt settings.
- Old: https://ra.swisssign.net/ws/cmc
- New: https://cmc.swisssign.ch/ws/cmc
Replace the complete old product name (including short name) with the new product name in the SX-MailCrypt settings.
| Old product name | New product name |
|---|---|
| *-perso-silver-emailonly | SwissSign Personal S/MIME E-Mail ID Silver |
| *-perso-org-gold | SwissSign Pro S/MIME E-Mail ID Gold |
| *-perso-org-gold-rsassapss | SwissSign Pro S/MIME E-Mail ID Gold RSASSA-PSS |
| *-perso-org-gold-auth | SwissSign Pro S/MIME E-Mail ID Gold with Auth. |
Totemo
Replace the service URL in the Totemo settings.
- Old: https://ra.swisssign.net/ws/cmc
- New: https://cmc.swisssign.ch/ws/cmc
Other third-party applications which are not listed here
Please contact the vendor of your third-party solution.
Other things to remember:
- Setting up a new RA operator login: A SwissID is essential if you want access to the new platform. We ask that you follow the instructions to set up a SwissID login. For the SwissID login, it is important that you use the same email address as the one used to receive this email from SwissSign. In order to set up your SwissID login, you will also need a valid passport or ID card (Switzerland, Germany and Portugal).
- In the last few weeks, you should have already received an email from SwissSign (mpki@swisssign.com) with the access details for your new MPKI. Please log in to your new MPKI immediately and check whether the certificate products you used previously are still available. If they are not available or you wish to add further certificate products, please contact mpki@swisssign.com.
- Your new MPKI will be set up on the basis of your previous validation level. All basic settings (notifications, publications of your certificates) will be copied over and applied.
- Domains must be revalidated on the new platform if the validation was more than one year ago.
- Important: If the chain of trust is permanently stored in your CMC/interface, for example, through certificate pinning, the chain of trust must be updated
→ Cert Chains 2022-1
- Click on this link for the RA Operators Manual, which explains the operation and functionalities of the new MPKI step by step.
- The Email ID Silver product including organisation registration (only partner applications) is being replaced by the current standard Email ID Silver product (email address only). Unfortunately, for regulatory reasons we are no longer able to offer this product.
We have summarised all of the main points for you again and provided answers to the most frequently asked questions on our website.
If you have any questions, our customer service is of course available.
mpki@swisssign.com
