Required TLS certificates and keys

In order to use TLS in Secure Email Gateway, you need to obtain the following items first, then import them to the Gateway.

Security type	Required item
Encryption	Certificate Authority (CA) signing certificate The certificate of the certificate authority that signed the key certificate. It contains the certificate authority's own public key. Also known as "root certificate".
	TLS server The TLS server is the message recipient. private key The secret key kept on the sender's computer that the sender uses to digitally sign messages to recipients and to decrypt messages from recipients. Private keys should be password protected. and certificate A digital means of proving your identity. When you send a digitally-signed message, you are sending your certificate and public key. Certificates are issued by a certification authority and can expire or be revoked. signed by CA
	TLS client The TLS client is the message sender. private key and certificate signed by CA
Validation	Partner CA signing certificates

Important

• Certificates and keys must be in PEM (Privacy-Enhanced Mail) A widely-used standard for storing digital certificates. A PEM-format file can contain all of the private keys, public keys, and X.509 certificates. PEM-format files can have a variety of extensions (.pem, .key, .cer, .csr, and so on). format.

  PEM-format files can have a variety of extensions (e.g. .pem, .key, .cer, .csr). Be aware that the listed extensions can also be binary, which is not supported.

• The signed certificate for TLS server communication should be configured for server identification usage. The signed certificate for TLS client communication should also be configured for client identification usage. The same signed certificate may be used for both TLS client and TLS server communication if it is configured for both client validation and server validation.

• To validate the certificates of the TLS clients and servers you communicate with, their CA signing certificates must be copied to: /etc/pki/ca-trust/source/anchors/.

• To help you test TLS communication between the Gateway and a test email server, the Gateway comes with a trial private key, signed certificate, and CA signing certificate already installed.

• If you do not want to purchase a digital certificate from a third-party CA, or if you want to use digital signing immediately, you can create your own self-signed TLS certificate.

From version 5.7.0 onwards, you will no longer be able to use SHA1 certificates in Secure Email Gateway. We recommend using SHA256 or more secure certificates.

See also...

• Create TLS private key and CSR
• Obtain CA-signed or self-signed TLS certificate
• Import TLS certificates and private keys