When you log on to the IMSVA web console, the following warning message appears:
"Invalid CA certificates detected."
The alert indicates that certain imported or pre-imported CA certificates are expired. The related CA certificates are listed under Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates. Refer to the following screenshot. Note that the certificates with “No” in Valid column are the ones that triggered the alert.
IMSVA installation package comes with many pre-imported CA certificates, many of them are now expired.
These CA certificates are used to authenticate the sending MTAs’ identity (for Messages Entering IMSVA) and the receiving MTAs’ identity (for Messages Existing IMSVA). Because many MTAs on the Internet are not configured with certificates signed by valid CA, authenticating MTAs by verifying their certificates will result in many false-alarms. Therefore, by default, IMSVA will NOT authenticate sending/receiving MTAs by verifying their certificates. This implies that these CA certificates are not used at all, by default.
To verify if your IMSVA is impacted by the invalid CA certificates, check if any of your TLS settings are set to “Verify” in Security Level, which is Opportunistic by default. Refer to the following screenshot:
If you have enabled or will need to enable “Verify” for specific domains, you can ask the domain owners to provide their CA certificates, or you can download them if those CA certificates are publicly available , and then import them via IMSVA console. Refer to the next section for details.
If none of your TLS setting uses “Verify”, the issue doesn’t impact your IMSVA. You can safely delete all pre-imported certificates to avoid the alert message.
Deleting the expired certificates
- Open the IMSVA web console and navigate to Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates.
- Select the invalid certificates whose Valid column is in red, click Delete. Or you can delete all the pre-imported CA certificates in the list, while keeping the ones you imported.
Refer to the following screenshot:
Importing a new certificate
- Convert the CA certificate file to PEM format. You may refer to this article: DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
- Open IMSVA web console and navigate to Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates.
- Click Import, select the CA certificate file and then import it.