Auto Certificate Issuance

Automatic Certificate Issuance (Certificate Sync)

Automatic certificate issuance in Conbool enables central, policy-based management and synchronization of S/MIME certificates for groups.
This function ensures that all group members automatically receive a valid certificate — without manual intervention.

How It Works

Conbool regularly checks all users assigned to a group with activated certificate synchronization.
If no private certificate exists in the store for a user, a new certificate is automatically issued.
Existing certificates are renewed in time before expiration.

Issuance is performed via the source defined in the group setup — either an internal CA or a connected MPKI (e.g., SwissSign).

Activation

1. Open Group Management → Select Group in the menu.
2. Go to Step 4: Sync in the wizard.
3. Enable the "Activate Sync" toggle.
4. Select the desired provider:
   • Internal CA – for internal, self-signed certificates
   • SwissSign – for certificates from a connected SwissSign MPKI
5. If SwissSign is selected, choose the desired product profile (e.g., S/MIME Email ID Silver).
6. Save the settings or proceed with "Next".

After activation, Conbool automatically generates new certificates for all group members who do not yet have their own certificate.

Certificate Sync

• The sync ensures that certificates always remain current.
• Before expiration, certificates are automatically renewed (by default 15 days before expiration).

Rules

• Automatic issuance only takes effect when no private certificate exists in the store.
• No new issuance is performed for existing certificates.
• Renewals are performed automatically as long as the user remains a group member.
• Manual issuance is still possible via the S/MIME → Add Certificate section.

See also

• Groups – Group management and user assignment for automatic certificate issuance.
• Managed PKI – Connection to an external PKI like SwissSign for automatic certificate management.