Views:

Root Cause

The alert indicates that certain imported or pre-imported CA certificates are expired. The related CA certificates are listed under Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates. Refer to the following screenshot. Note that the certificates with “No” in Valid column are the ones that triggered the alert.

IMSVA installation package comes with many pre-imported CA certificates, many of them are now expired.

image.png

Impact

These CA certificates are used to authenticate the sending MTAs’ identity (for Messages Entering IMSVA) and the receiving MTAs’ identity (for Messages Exiting IMSVA). Because many MTAs on the Internet are not configured with certificates signed by valid CA, authenticating MTAs by verifying their certificates will result in many false-alarms. Therefore, by default, IMSVA will NOT authenticate sending/receiving MTAs by verifying their certificates. This implies that these CA certificates are not used at all, by default.

To verify if your IMSVA is impacted by the invalid CA certificates, check if any of your TLS settings are set to “Verify” in Security Level, which is Opportunistic by default. Refer to the following screenshot:

Entering IMSVA

Exiting IMSVA

 
If you have enabled or will need to enable “Verify” for specific domains, you can ask the domain owners to provide their CA certificates, or you can download them if those CA certificates are publicly available, and then import them via IMSVA console. Refer to the next section for details.

If none of your TLS setting uses “Verify”, the issue doesn’t impact your IMSVA. You can safely delete all pre-imported certificates to avoid the alert message.

  1. Open the IMSVA web console and navigate to Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates.
  2. Select the invalid certificates whose Valid column is in red, click Delete. Or you can delete all the pre-imported CA certificates in the list, while keeping the ones you imported.
    Refer to the following screenshot:

    Deleting the expired certificate

  1. Convert the CA certificate file to PEM format. You may refer to this article: DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
  2. Open IMSVA web console and navigate to Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates.
  3. Click Import, select the CA certificate file and then import it.

    Importing a new certificat

Keywords: invalid certificate,invalid certificate detected,IMSVA invalid certificate,invalid certificate solution,invalid certificate root cause,invalid certificate impact