In order to use TLS in Secure Email Gateway, you need to obtain the following items first, then import them to the Gateway.
Important
-
Certificates and keys must be in PEM (Privacy-Enhanced Mail)
A widely-used standard for storing digital certificates. A PEM-format file can contain all of the private keys, public keys, and X.509 certificates. PEM-format files can have a variety of extensions (.pem, .key, .cer, .csr, and so on). format.PEM-format files can have a variety of extensions (e.g.
.pem,.key,.cer,.csr). Be aware that the listed extensions can also be binary, which is not supported. -
The signed certificate for TLS server communication should be configured for server identification usage. The signed certificate for TLS client communication should also be configured for client identification usage. The same signed certificate may be used for both TLS client and TLS server communication if it is configured for both client validation and server validation.
-
To validate the certificates of the TLS clients and servers you communicate with, their CA signing certificates must be copied to:
/etc/pki/ca-trust/source/anchors/. -
To help you test TLS communication between the Gateway and a test email server, the Gateway comes with a trial private key, signed certificate, and CA signing certificate already installed.
-
If you do not want to purchase a digital certificate from a third-party CA, or if you want to use digital signing immediately, you can create your own self-signed TLS certificate.
|
From version 5.7.0 onwards, you will no longer be able to use SHA1 certificates in Secure Email Gateway. We recommend using SHA256 or more secure certificates. |