Administration - Secure Socket Layer (SSL) Certificates

Updated

This article describes what a Secure Socket Layer (SSL) certificate is, why they are required for secure protocols, and which are accepted by Mimecast. It includes supported certificates, encryption protocols, and configuration for secure communication across various services like Journaling, LDAP, and SMTP.

Introduction

An SSL certificate enables encryption of all information moving across the specified protocol. For some Mimecast connections, administrators have the option to use unencrypted or encrypted connections. This includes:

  • Journaling (POP3 vs. POP3S).
  • Directory Synchronization (LDAP vs. LDAPS).
  • Email processing (SMTP vs. TLS).

To use any of these secure protocols, a public SSL certificate is required to be installed and configured in the customer's local environment.

Mimecast supports:

  • Connections using TLS 1.2 & 1.3 for AES-256.
  • Self-signed certificates in certain instances (e.g., LDAP Authentication). In this instance, setting the encryption mode to "Relaxed." permits encryption with self-signed certificates and other valid certificates that may not have a complete trust chain.

You may be concerned about sending or receiving clear text traffic across the internet, as it is possible to intercept the data in transit. If so, certificates can be used for those connections between Mimecast and their environment. This ensures all traffic between Mimecast and the customer site is encrypted via an SSL tunnel.

Supported SSL Certificates

Mimecast supports both 1024-bit and 2048-bit certificates. The list below covers all the SSL certificates that Mimecast supports:

  • actalis authentication root ca
  • addtrust class 1 ca root
  • addtrust external ca root
  • addtrust external ca root (utn-user- first-hardware,ou=http
  • addtrust public ca root
  • addtrust qualified ca root
  • affirmtrust networking ca
  • america online root certification authority 1
  • america online root certification authority 2
  • aol member ca (america online root certification authority 1,o=america online inc.,c=us)
  • baltimorecodesigningca
  • baltimorecybertrustca
  • Certigna Root ca
  • certplus class 1 primary ca
  • certplus class 2 primary ca
  • certplus class 3 primary ca
  • certplus class 3p primary ca
  • certplus class 3ts primary ca
  • comodo aaa certificate services
  • comodo certification authority (utn - datacorp sgc,ou=http
  • comodo high assurance secure server ca (comodo certification authority)
  • comodo high-assurance secure server ca (addtrust external ca root)
  • comodo secure certificate services
  • comodo trusted certificate services
  • cybertrust global root
  • cyberTrust Secure Server
  • cybertrust sureserver ev ocsp ca (cybertrust global root)
  • cybertrust sureserver standard validation ca (gte cybertrust global root)
  • deutsche bank group root ca 3
  • deutsche bank secure e-mail ca 3 (deutsche bank group root ca 3,ou=pki,o=deutsche bank ag,c=de)
  • deutsche bank server ca 2 (deutsche bank group root ca 3,ou=pki,o=deutsche bank ag,c=de)
  • deutsche telekom ca 6 (gte cybertrust global root,ou=gte cybertrust solutions\)
  • deutsche telekom root ca 1
  • deutsche telekom root ca 2
  • digicert assured id ca-1 (digicert assured id root ca)
  • digicert assured id code signing ca-1 (digicert assured id root ca)
  • digicert assured id root ca
  • digicert ecc secure server ca (digicert global root ca)
  • digicert global ca (2048)(entrust.net certification authority (2048))
  • digicert global ca (entrust.net secure server certification authority)
  • digicert global ca-1 (digicert global root ca)
  • digicert global root ca
  • digicert global root g2
  • digicert high assurance ca-3 (digicert high ass- urance ev root ca)
  • digicert high assurance ca-3 (digicert high assurance ev root ca,ou=www.digicert.com,o=digicert inc,c=us)
  • digicert high assurance code signing ca-1 (digicert high assurance ev root ca)
  • digicert high assurance ev ca-1 (digicert high ass- urance ev root ca)
  • digicert high assurance ev root ca
  • digicert high assurance ev root ca (entrust.net secure server certification authority,ou=(c) 1999 entrust.net limited,ou=entrust.net incorp. by ref. (limits liab.),o=entrust.net,c=us)
  • digicert secure server ca (digicert global root ca)
  • digicert sha2 secure server ca (digicert global root ca)
  • digicert sha2 High Assurance Server CA
  • DigiCert TLS RSA SHA256 2020 CA1
  • entrust certification authority - l1b (entrust.net cer- tification authority (2048),ou=(c) 1999 entrust.net limited,ou=entrust.net incorp. by ref. (limits liab.),o=entrust.net)
  • entrust certification authority - l1c (entrust.net certification authority (2048),ou=(c) 1999 entrust.net limited,ou=entrust.net incorp. by ref. (limits liab.),o=entrust.net)
  • entrust certification authority - l1e (entrust root certification authority,ou=(c) 2006 entrust\)
  • entrust root certification authority
  • entrust root certification authority (entrust.net se- cure server certification authority,ou=(c) 1999 entrust.net limited,ou=entrust.net incorp. by ref. (limits liab.),o=entrust.net,c=us)
  • entrust root certification authority - g2
  • Entrust Certification Authority - L1K
  • Entrust OV TLS Issuing RSA CA 2
  • entrust.net certification authority (2048)
  • entrust.net certification authority (2048)(entrust.net secure server certification authority,ou=(c) 1999 entrust.net limited,ou=entrust.net incorp. by ref. (li- mits liab.),o=entrust.net,c=us)
  • entrust2048ca
  • entrustclientca
  • entrustglobalclientca
  • entrustgsslca
  • entrustsslca
  • equifax digitary trust network (equifax secure ebusiness ca-1,o=equifax secure inc.,c=us)
  • equifax premium certificate authority
  • equifaxsecureca
  • equifaxsecureebusinessca1
  • equifaxsecureebusinessca2
  • equifaxsecureglobalebusinessca1
  • essentialssl ca (comodo certification authority,o=comodo ca limited,l=salford,st=greater manchester,c=gb)
  • eunet international root ca
  • geotrust ca for adobe (adobe root ca,ou=adobe trust services,o=adobe systems incorporated,c=us)
  • geotrust dv ssl ca (geotrust global ca)
  • geotrust extended validation ssl ca (geotrust pri- mary certification authority)
  • geotrust global ca
  • geotrust global ca 2
  • geotrust mobile device root - privileged
  • geotrust mobile device root - unprivileged
  • geotrust primary certification authority
  • geotrust primary certification authority - g2
  • GeoTrust Primary Certification Authority - g3
  • geotrust ssl ca (geotrust global ca)
  • geotrust true credentials ca 2 (equifax secure ebusiness ca-1,o=equifax secure inc.,c=us)
  • geotrust universal ca
  • geotrust universal ca 2
  • geotrust EV SSL CA - G4
  • geotrustglobalca
  • globalsign (globalsign root ca)
  • globalsign domain validation ca (globalsign root ca)
  • globalsign domain validation ca - g2 (globalsign root ca)
  • globalsign extended validation ca (globalsign)
  • globalsign extended validation ca - g2 (globalsign)
  • globalsign organization validation ca (globalsign root ca)
  • globalsign organization validation ca - g2 (global-sign root ca)
  • globalsign primary secure server ca (globalsign root ca)
  • globalsign root ca
  • GlobalSign Root CA - R3
  • GlobalSign Root CA - R6
  • globalsign rootsign partners ca (globalsign root ca)
  • globalsign serversign ca (globalsign primary secu- re server ca)
  • globalsign-rc2
  • go daddy class 2 certification authority - microsoft code verification
  • go daddy root certificate authority - g2
  • go daddy root certificate authority - g2 (microsoft code verification root)
  • go daddy secure certificate authority - g2 (go daddy root certificate authority - g2)
  • go daddy secure certification authority
  • godaddyclass2ca
  • gtecybertrustglobalca
  • HARICA Client RSA Root CA 2021
  • HARICA TLS RSA Root CA 2021
  • IdenTrust Commercial Root CA 1
  • ISRG Root X2
  • microsoft root authority
  • NETLOCK Trust Qualified EV CA 3
  • network solutions certificate authority
  • network solutions certificate authority (utn-user- first-hardware,ou=http
  • network solutions ev ssl ca (network solutions certificate authority,o=network solutions l.l.c.,c=us)
  • OU=certSIGN ROOT CA G2
  • OU=Security Communication RootCA2
  • quovadis eu issuing certification authority (quova- dis root certification authority)
  • quovadis eu qualified issuing certification authority (quovadis root certification authority)
  • quovadis global ssl ica (quovadis root ca 2,o=quovadis limited,c=bm)
  • quovadis grid ica (quovadis root certification authority)
  • quovadis ica 3 (quovadis root certification authority,ou=root certification authority,o=quovadis limited,c=bm)
  • quovadis issuing ca g3 (quovadis root certification authority)
  • quovadis qualified issuing certification authority 1 (quovadis root certification authority)
  • quovadis root ca 2
  • quovadis root ca 2 (quovadis root certification authority,ou=root certification authority,o=quovadis limited,c=bm)
  • quovadis root ca 3
  • quovadis root certification authority
  • quovadis suisseid advanced ca (quovadis root certification authority)
  • quovadis suisseid qualified ca (quovadis root certification authority)
  • quovadis swiss advanced ca (quovadis root certification authority)
  • qv schweiz ica (quovadis root certification authority,ou=root certification authority,o=quovadis limited,c=bm)
  • register.com
  • register.com ca ssl services (dv) (utn-userfirst-hardware)
  • register.com ca ssl services (ov) (utn-userfirst-hardware)
  • Security Communication RootCA2
  • Sectigo Public Server Authentication Root R46
  • siemens business services trust center root-ca v1.1.1
  • siemens issuing ca ee enc (siemens business services trust center root-ca v1.1.1,ou=copyright (c) siemens business services 2003 all rights reserved,o=siemens,c=de)
  • ssl.com root certification authority RSA 
  • starfield class 2 certification authority - microsoft code verification
  • starfield root certificate authority - g2
  • starfield root certificate authority - g2 (microsoft code verification root)
  • starfield secure certificate authority - g2 (starfield root certificate authority - g2)
  • starfield secure certification authority
  • starfield secure certification authority (http
  • starfield services root certificate authority
  • starfield services root certificate authority - g2
  • starfield services root certificate authority - g2 (starfield services root certificate authority)
  • starfieldclass2ca
  • startcom certification authority
  • startcom certification authority g2
  • startcom extended validation client ca (startcom certification authority)
  • startcom extended validation server ca (startcom certification authority)
  • startfiled_cross_intermediate
  • swisscom
  • swisscom customer ca 2 (swisscom root ca 2)
  • swisscom customer root ca 1 (swisscom root ca 1)
  • swisscom diamant ca 1 (swisscom root ca 1)
  • swisscom diamant ca 2 (swisscom root ca 2)
  • swisscom diamant suisseid ca 2 (swisscom root ca 2)
  • swisscom quartz ev ca 1 (swisscom root ev ca 1)
  • swisscom quarz ev ca 2 (swisscom root ev ca 2)
  • swisscom root ca 1
  • swisscom root ca 2
  • swisscom root ev ca 1
  • swisscom root ev ca 2
  • swisscom rubin ca 1 (swisscom root ca 1)
  • swisscom rubin ca 2 (swisscom root ca 2)
  • swisscom saphir ca 1 (swisscom root ca 1)
  • swisscom saphir ca 2 (swisscom root ca 2)
  • swisscom saphir suisseid ca 2 (swisscom root ca 2)
  • swisscom smaragd ca 1 (swisscom root ca 1)
  • swisscom smaragd ca 2 (swisscom root ca 2)
  • swisscom suisseid diamant ca 1 (swisscom root ca 1)>
  • swisscom suisseid saphir ca 1 (swisscom root ca 1)
  • swisscom tsa ca 1 (swisscom root ca 1)
  • swisscom tss ca 2 (swisscom root ca 2)
  • swisssign ca (rsa ik may 6 1999 18
  • swisssign gold ca - g2
  • swisssign platinum ca - g2
  • swisssign silver ca - g2
  • symantec class 3 extended validation code signing ca (verisign class 3 public primary certification aut- hority - g5)
  • t-telesec globalroot class 2
  • t-telesec globalroot class 3
  • tc trustcenter class 1 l1 ca ix (tc trustcenter univer- sal ca i,ou=tc trustcenter universal ca,o=tc trust- center gmbh,c=de)
  • tc trustcenter class 1 l1 ca v
  • tc trustcenter class 1 l1 ca vii
  • tc trustcenter class 2 ca ii
  • tc trustcenter class 2 l1 ca v
  • tc trustcenter class 2 l1 ca vii
  • tc trustcenter class 2 l1 ca xi (tc trustcenter class 2 ca ii,ou=tc trustcenter class 2 ca,o=tc trustcenter gmbh,c=de)
  • tc trustcenter class 2 l1 ca xii (tc trustcenter class 2 ca ii,ou=tc trustcenter class 2 ca,o=tc trustcenter gmbh,c=de)
  • tc trustcenter class 2-ii l1 ca iv (tc trustcenter class 2 ca ii,ou=tc trustcenter class 2 ca,o=tc trustcenter gmbh,c=de)
  • tc trustcenter class 2-ii l1 ca viii (tc trustcenter class 2 ca ii,ou=tc trustcenter class 2 ca,o=tc trust- center gmbh,c=de)
  • tc trustcenter class 3 ca ii
  • tc trustcenter class 3 l1 ca ix (tc trustcenter univer- sal ca i,ou=tc trustcenter universal ca,o=tc trust- center gmbh,c=de)
  • tc trustcenter class 3 l1 ca v
  • tc trustcenter class 3 l1 ca vii
  • tc trustcenter class 3 l1 ca xi (tc trustcenter class 3 ca ii,ou=tc trustcenter class 3 ca,o=tc trustcenter gmbh,c=de)
  • tc trustcenter class 3-ii l1 ca iv (tc trustcenter class 3 ca ii,ou=tc trustcenter class 3 ca,o=tc trustcenter gmbh,c=de)
  • tc trustcenter class 4 ca ii
  • tc trustcenter class 4 extended validation ca i (tc trustcenter universal ca iii,ou=tc trustcenter univer- sal ca,o=tc trustcenter gmbh,c=de)
  • tc trustcenter universal ca i
  • tc trustcenter universal ca ii
  • tc trustcenter universal ca iii
  • telesec serverpass ca 1 (baltimore cybertrust root)
  • Telia Root CA v2
  • thawte code signing ca - g2 (thawte primary root ca,ou=(c) 2006 thawte\)
  • thawte dv ssl ca (thawte primary root ca,ou=(c) 2006 thawte\)
  • thawte extended validation ssl ca (thawte primary root ca,ou=(c) 2006 thawte\)
  • thawte personal basic ca
  • thawte personal premium ca
  • thawte premium server ca
  • thawte primary root ca
  • thawte primary root ca (thawte premium server ca)
  • thawte primary root ca (thawte premium server ca,ou=certification services division,o=thawte con- sulting cc,l=cape town,st=western cape,c=za)
  • thawte primary root ca - g2
  • thawte primary root ca - g3
  • thawte server ca
  • thawte sgc ca
  • thawte sgc ca - g2 (verisign class 3 public primary certification authority - g5,ou=(c) 2006 verisign\)
  • thawte ssl ca (thawte primary root ca,ou=(c) 2006 thawte\)
  • thawte ssl domain ca (thawte server ca,ou=certification services division,o=thawte con- sulting cc,l=cape town,st=western cape,c=za)
  • thawte timestamping ca
  • thawte universal ca root
  • thawtepersonalbasicca
  • thawtepersonalpremiumca
  • thawtepremiumserverca
  • thawteserverca
  • TLS RSA Root CA 2022
  • trustis fps healthcare issuing authority chain2
  • trustis fps healthcare issuing authority
  • trustwave client authentication certification certification authority (xramp global certification authority)
  • trustwave code signing ca\(xramp global certification authority)
  • trustwave domain validation ca\ (securetrust ca)
  • trustwave organization validation ca\ (securetrust ca)
  • trustwave securetrust ca
  • trustwave xramp global certification authority
  • tsa01.quovadisglobal.com (quovadis root certifica- tion authority)
  • TWCA Root Certification Authority
  • ty (xramp global certification authority)
  • utn - datacorp sgc
  • utn - datacorp sgc (addtrust external ca root)
  • utn-userfirst-client authentication and email
  • utn-userfirst-client authentication and email (aaa certificate services,o=comodo ca limited,l=salford,st=greater manchester,c=gb)
  • utn-userfirst-client authentication and email (addtrust external ca root,ou=addtrust external ttp network,o=addtrust ab,c=se)
  • utn-userfirst-hardware
  • utn-userfirst-hardware (addtrust external ca root)
  • utn-userfirst-hardware (addtrust external ca root,ou=addtrust external ttp network,o=addtrust ab,c=se)
  • utn-userfirst-network applications
  • utn-userfirst-object
  • valicert-class1-policy-validation
  • valicert-class2-policy-validation
  • valicert-class3-policy-validation
  • valicert-rsa-public-root-ca
  • valicertclass2ca
  • verisign class 1 public primary certification authority - g2
  • verisign class 1 public primary certification authority - g3
  • verisign class 3 code signing 2004 ca
  • verisign class 3 code signing 2009-2 ca
  • verisign class 3 code signing 2010 ca (verisign class 3 public primary certification authority - g5,ou=(c) 2006 verisign\)
  • verisign class 3 extended validation ssl ca (verisign class 3 public primary certification authority - g5,ou=(c) 2006 verisign\)
  • verisign class 3 extended validation ssl sgc ca (verisign class 3 public primary certification authority - g5,ou=(c) 2006 verisign\)
  • verisign class 3 international server ca - g3 (verisign class 3 public primary certification authority - g5,ou=(c) 2006 verisign\)
  • verisign class 3 open financial exchange ca - g2
  • verisign class 3 public primary certification authority
  • verisign class 3 public primary certification authority - g4
  • verisign class 3 public primary certification authority - g5
  • verisign class 3 public primary certification authori- ty - g5 - non standard
  • verisign class 3 secure intranet server ca
  • verisign class 3 secure ofx ca - g3
  • verisign class 3 secure server ca - 29may08
  • verisign class 3 secure server ca - g2
  • verisign class 3 secure server ca - g3 (verisign class 3 public primary certification authority - g5,ou=(c) 2006 verisign\)
  • verisign class 4 public primary ca
  • verisign class 4 public primary certification authority - g2
  • verisign class 4 public primary certification authority - g3
  • verisign universal root certification authority
  • verisign-managedpki-premiumssl-intermediate
  • verisignclass1ca
  • verisignclass1g2ca
  • verisignclass1g3ca
  • verisignclass2ca
  • verisignclass2g2ca
  • verisignclass2g3ca
  • verisignclass3ca
  • verisignclass3g2ca
  • verisignclass3g3ca
  • verisigntrustnetwork-19may2018

For information on how to use these certificates for specific protocols, read the Email Encryption Guide.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.