Multi-device accessibility of S/MIME (Key Rollover)

Multi-device accessibility of S/MIME (Key Rollover)
09 Dec ‘24

Multi-device accessibility of S/MIME (key rollover):
Limitations of CAs and the ideal solution from KeyTalk

 

In an era where employees switch between multiple devices daily – from laptops to smartphones – email security is becoming increasingly complex. S/MIME plays a crucial role in this by encrypting emails and authenticating the sender (digital signing). While S/MIME offers a robust security solution, it introduces specific challenges when it comes to multi-device accessibility (or key rollover to be precise).

A major limitation is that Certificate Authorities (CAs) cannot effectively manage private keys due to the sensitive nature of their operations, which complicates the implementation and use of S/MIME across multiple devices. In this blog, we will discuss why this is a problem, how it is often clumsily solved, and why KeyTalk offers the ideal solution.

 

What is multi-device accessibility in the context of S/MIME?
Multi-device accessibility (key rollover) means that users can read and send secure emails from all their devices, regardless of whether it’s a desktop, laptop, smartphone, or tablet. To make this possible, the S/MIME certificates and exactly the same private keys must be available on each device.

In theory, this sounds simple, but in practice, it’s a complex process. The private key, which is needed to decrypt encrypted emails, must be stored securely and be accessible on each device. Here, we encounter a fundamental problem in the traditional PKI ecosystem.

 

The limitations of Certificate Authorities (CA’s)
CA’s play a central role in issuing S/MIME certificates. They verify the user’s identity and provide a certificate with the public key. However, what CA’s are not allowed to do is manage private keys. This is a deliberate limitation and a fundamental principle of Public Key Infrastructure (PKI). If a CA were to manage private keys, it would undermine trust in the cryptographic infrastructure. Users trust that their private keys are only accessible to authorized persons.

Despite these limitations, some CA’s, such as DigiCert, Sectigo, or GlobalSign, still claim to offer S/MIME certificate management and automation. In reality, this often means that they only automate the process of certificate issuance and renewal, but users are still responsible for distributing private keys to their devices. This does not solve the problem of multi-device accessibility through key synchronization and remains a laborious task for IT departments.

 

How is multi-device accessibility often handled?
In practice, organizations and users try to make S/MIME certificates available on multiple devices in two ways. However, these methods are often cumbersome and pose risks.

  1. Manual export and import

The most common approach is for users to export their private key and certificate from one device and then manually import them onto other devices. However, this process is quite technical and error-prone. Private keys are often transferred in an insecure form, which increases the risk of compromise.

 

  1. Use of hardware tokens

Some organizations use hardware tokens, such as smart cards or USB tokens, to store private keys. These tokens can be connected to different devices. The disadvantage of this method is that the user must always carry the token with them, which is impractical in a mobile work environment. Moreover, loss or damage to the token can lead to complete blocking of access to encrypted emails.

 

 

Why KeyTalk offers the ideal solution, even with certificates from a public CA
KeyTalk uses an innovative approach that bypasses the limitations of traditional methods, even when working with S/MIME certificates issued by public CA’s. This is crucial, as public CA’s are the standard for email certificates trusted by major email clients such as Microsoft Outlook, Apple Mail, and Gmail.

 

  1. Dynamic certificate management with public CA’s

KeyTalk seamlessly integrates with public CA’s and can automatically request and manage certificates on behalf of the user. This means that users gain access to certificates trusted by all major email clients, while KeyTalk eliminates the complexity of management.

 

  1. Certificate transfer without compromises

KeyTalk eliminates the need to manually export or share private keys. Instead, the platform ensures that the certificate is centrally retrieved and private keys are centrally generated. These are then distributed securely to the device or Mobile Device Management software (MDM).

 

  1. Automatic configuration of email clients

Through integrations with Mobile Device Management (MDM) solutions such as Microsoft Intune and MobileIron, KeyTalk can automatically configure email clients on devices for S/MIME. This means that both the certificate and S/MIME usage settings (such as encryption and digital signatures) are automatically applied. The benefits of this automation:

  • Users don’t have to go through complex configuration steps.
  • IT teams save time and minimize the chance of configuration mistakes.
  • Multi-device access to encrypted emails becomes seamless and easy for both end users and admins.

 

  1. Secure multi-device accessibility

KeyTalk enables users to easily use S/MIME certificates on multiple devices. Every device the user has under management gets registered and authenticated via KeyTalk. Subsequently, each device automatically receives the certificate with exactly the same private key. The benefits:

  • Users can seamlessly switch between devices without manual configuration.
  • IT administrators retain control over which devices have access to which certificates.

 

  1. Central integration with public CAs

The platform offers organizations a central management environment for requesting, renewing, and revoking certificates issued by public CAs. As a result, certificate management is automated without compromising compliance or user convenience. The benefits:

  • Certificate renewal happens automatically and without service interruption.
  • Organizations meet compliance requirements while benefiting from a simplified workflow.

 

 

 

Conclusion

Multi-device accessibility (key rollover) of S/MIME certificates is essential in a world where employees use multiple devices for email. However, the limitations of Certificate Authorities make it difficult to securely and conveniently manage private keys on multiple devices. Although CAs claim they can automate S/MIME certificate management, they do not solve the fundamental problem of private key management. This often makes their solutions incomplete and cumbersome in practice.

KeyTalk offers an innovative and secure solution by dynamically managing and distributing S/MIME certificates from public CAs. The certificate and exact same private key are generated centrally by the platform and then securely distributed to a user’s various devices. Through integration with MDM solutions such as Intune and MobileIron, KeyTalk automatically configures email clients for S/MIME, making multi-device accessibility seamless. This allows organizations to improve the security of their email communication without sacrificing usability. With KeyTalk, the complex world of S/MIME certificates becomes manageable, even in the most diverse and mobile IT environments.

 

Curious about what multi-device accessibility of S/MIME and the KeyTalk CKMS can do for your organization? Contact us by filling out the contact form below and discover how we can help you optimize your certificate management.

The KeyTalk team

 

 

Contact us

if you are interested in what we can do for your organisation with PKI / CLM management after reading our blog, please fill in the contact form below and we will contact you right away.