Is there a way then to sign outgoing email wildcard certificate?

Have a domain is the CA that has been bought usb tokens to users go password and key. Tune in, spread a user certificate (created in the centre) via USB. All Logistica - everything works.
It is also possible to sign mail with the same certificate that a local certificate and it will be normal to work only within the domain if you send a signed message to the intranet the client will mark it as spam because it is impossible to check sertifikat because it is issued by a local centre.
The most obvious option is of course to order a ton of personal certificates which will comply with the mail staff, but what is the meaning of the local centre. If 200 users, you will have pakati 200 certificates.
Is there any option of some type of wild card? I bought a certificate on a domain and on the basis of his created the other?
How do you even implement that?
April 4th 20 at 13:14
2 answers
April 4th 20 at 13:16
Solution
Is there any option of some type of wild card?

No.

For three reasons.

1. A domain certificate can be without the right EKU (Extended Key Usage). For the identity of the server is commonly used EKU TLS Web Server Authentication, and for signing/encrypting mail need EKU E-Mail Protection - and not the fact that CA it will register in the certificate is likely wrong.
2. Email client will not be able to use the certificate where emailAddress in the Subject field does not coincide with the soap, which is trying to adjust - he will not be stupid to admit (Outlook will not find the will to do nothing, TB will ignore)
3. Commercial CA prekrsno also know that to protect the mail everyone needs a personal certificate and this is why they sell them individually :) Although GlobalSign for example there is a service enterprise PKI you give tipo the intermediate CA whose root - GlobalSign and within some capacity you issue certificates. For the money, essno.
April 4th 20 at 13:18
Can. It's called s/mime emails.
Those who do not understand the format of s/mime will just get an additional file.

https://sectigo.com/enterprise/sectigo-certificate...

and Yes, s/mime is better to do for each individual.
To pay for additional certificates is not necessary (although someone like)
so the bottom line is that certificates will be issued locally, what's the point in them if no one recognizes.
Gets love will have to issue a separate certificate. - katlynn_Marks commented on April 4th 20 at 13:21
@hunter.Hil, the link above, you can issue yourself a certificate in the mail for your domain to understand how it works. Of course, self-signed will be relevant only in your narrow circle. - christ11 commented on April 4th 20 at 13:24

Find more questions by tags System administrationDigital certificates