A data security specialist by Swiss Post

Main section

4.4. CMC interface configuration for Totemo


A SwissSign MPKI has been set up for you that issues SwissSign certificates from the email gateway of the company Totemo AG.

Totemo communicates with the certification body SwissSign via the ‘CMC interface’. This makes it possible to obtain certificates automatically for email signatures and encryption.


To obtain certificates, enter the following data into the Totemo appliance:


1. In the administration console under Certificates | Issuer certificates, import the root certificate files provided by SwissSign. After importing, manually trust this by clicking on the button ‘Set as trustworthy’.


2. Import the access certificate you downloaded on swisssign.net under Certificates | Authentication certificate. This is a P12 file that contains a private key and the corresponding certificate. After importing, change the linked service via the ‘Set Auth.’  function Service on RFC 2797.


3. In the administration console, navigate to Server options | RFC 2797 connection. | Connection to set the connection-specific parameters.


Note: The values for the following properties are provided by SwissSign.

a. Enter the connection protocol using the property connection.ssl.protocol.

Example: https://

b. Specify the SwissSign CA server names using the property connection.ssl.serverName.

Example: ra.swisssign.net


c. Set the SwissSign CA server port using the property connection.ssl.serverPort.


d. Specify the request path using the information provided in the property connection.ssl.url.

Example: /ws/cmc?account=totemoag.ra&product=totemo-persogold


e. Specify the request type by setting the property 

security.pkiConnection.rfc2797.requestType to POST.

f. Set the property security.pkiConnection.rfc2797.encodeRequestBase64 to false.


4. Under Server options | RFC 2797 conn. | Connection, the PKI type must be changed by changing the property security.pkiConnection.type to rfc2797.


5. Set the issuer DN for SwissSign certificates as a value in the property security.pkiConnection.rfc2797.issuerDN. Totemomail uses this to identify which of the stored certificates have been issued by the connected SwissSign CA.


6. To allow new internal users to receive their certificates automatically from the external CA once they are issued, set the property security.pkiConnection.getFromPKIForNewIntUsers to true.


7. To allow external recipients to receive their certificates from the external CA, set the property security.pkiConnection.getFromPKIForNewRecipients to true.


8. Set the property security.pkiConnection.certSubjectDN to the value to be used by SwissSign certificates.

Note: The value of this property is provided by SwissSign. When using a SwissSign Silver PKI, the value should only contain the CN. With a SwissSign Gold PKI, the value can contain organisation-specific DN attributes.

Note: The CN attribute (only for SwissSign Gold) and the email address in the DN subject line are replaced with information that corresponds to the requesting user.


9. To activate external CAs, set the property security.pkiConnection.enabled to true.


10. Make the changes by clicking on the button ‘Apply changes’ at the top on the page ‘Settings/Properties’.



11. Restart the Totemomail service.

You will receive the following attributes from us for the Totemo appliance in the initial email:

  • Static subject part: /CN=Secure Mail: Gateway Certificate /O=Organisation name/ C=Country code

  • Account name: Account name

  • Product name: Organisation name-Product type-Exact product



Please note that no domains are activated after initial receipt of the MPKI.


Please find instructions for registering domains for free below:



The exact name of your:

  • Organisation

  • Country code

  • Account name

  • Product names

can be found in our initial email, where you can also find information about your Managed PKI account and the access certificate.