Secure Email Service (SES)

Secure Email Service (SES)

E-mail is potentially very vulnerable to data breaches. With encryption and digital signing based on S/MIME certificates, this risk can be significantly reduced.

KeyTalk makes implementation and management of S/MIME certificates easy. Whether it’s a handful or tens of thousands of users and internal or external contacts: S/MIME certificates are easy to install and standardize. Without the intervention of the internal IT organization.

In practice: implementation of S/MIME within the organisation (internal)

On the user side: users install the KeyTalk app (Windows, OSX, iOS, Android, Linux), which guides them easily and turnkey through the installation process. The end-users shall use the S/MIME certificates independently, which usually does not require support from the (internal) IT organisation.

Users should authenticate themselves once via the app, based on the credentials in the AD. After this, an automatic request is sent to the issuing CA for the certificate. After this, an automatic request is sent to the issuing CA for the certificate. The user’s public S/MIME details are then automatically added to the secure public address book of the AD and/or LDAP/key server.

Via the KeyTalk apps, the user can easily install the certificate himself on all desired (and permitted) devices, whereby the e-mail client is automatically configured. If the OS and the mail application allow this, the use of the LDAP is also configured automatically.

After completing the installation process, encryption and digital signature of e-mails are standard, without any further action.

In practice: implementation of S/MIME outside the organisation (external)

Implementation of S/MIME for the internal organisation is an important first step. But… you also want to be able to e-mail external relations (customers, suppliers, partners, etc.) safely.

This is usually a hassle: the external customer may not yet have an S/MIME certificate, has to buy it somewhere, generate a CSR, install the certificate and the key and then share the public key with your organisation. In practice, this is unworkable.

KeyTalk solves that. With the Secure Email Service, you can easily (!) apply for a worldwide trusted e-mail certificate for third parties. There are no costs involved for these external relations.

How it works: an employee requests a certificate for his external relation via the self-service portal of the KeyTalk virtual appliance. Intervention of the IT Helpdesk is not necessary. The certificate is directly published in the KeyTalk LDAP address book and then sent to the external contact. The external contact can immediately install and use the certificate easily and independently.

Good to know for the purpose of GDPR/AVG compliance: the private key is removed from the memory of the KeyTalk server immediately after distribution.


“E-mail is potentially very vulnerable to data breaches.”

Some technical details

  • Installation: The KeyTalk CKMS, including connection to AD, is usually completed within a few hours. The CKMS can be hosted at our secure data centres or on-premise as a virtual appliance, or in the cloud.
  • Key Roll-Over: The key associated with a certificate can be used easily and fully automatically on various devices. The KeyTalk CKMS centrally stores issued certificates and keys, protected by unique AES256 encryption. This technique is patented worldwide.
  • LDAP address book / key server: the KeyTalk CKMS provides a secure e-mail address book / key server based on LDAP. The public S/MIME details of the organisation’s user population are kept, linked to the AD so that users are automatically familiar with each other. The KeyTalk LDAP integrates with all regular e-mail clients and thus offers unique user-friendliness. Read more about LDAP / key server
  • Free S/MIME certificates for external relations: users can automatically request a free S/MIME certificate with a validity of 1 year for external relations. The client will then receive an e-mail via KeyTalk with simple instructions for automatically requesting and installing the S/MIME certificate. This makes it easy to share sensitive information via e-mail with external contacts.
  • Integrations: KeyTalk has a large number of integrations with MDM solutions such as MobileIron. Certificates can, therefore, be installed at the location where the MDM solution expects them to be.
  • Multiple email addresses in one certificate: end-users with multiple email addresses can be added to the SAN in one S/MIME certificate as an RFC 882 entry.
  • Management: Administrator access to the KeyTalk CKMS is role-based and requires, in case of strong authentication, certificate-based authentication. This can be an authentication certificate, issued and managed by the KeyTalk system, or it can be an already rolled out smart-card, card-based certificate. All administrator activities and automated processes are logged locally and can be exported to a SIEM system or SysLog server.

Would you like to know more?

Do you wish to be provided with a demo, Proof of Concept or directly technical in-depth consultation with one of our PKI experts? Feel free to contact us, we are happy to think along with you!