Required TLS certificates and keys

For the Email Gateway to be able to use TLS, you need to obtain the items in the following table, and then import them.

Security type	Required item
Encryption	CA signing certificate
	TLS server private key and certificate signed by Certificate Authority (CA)
	TLS client private key and certificate signed by Certificate Authority (CA)
Validation	Partner CA signing certificates

Certificates and keys must be in PEM format.

PEM-format files can have a variety of extensions (.pem, .key, .cer, .csr, and so on). Be aware that the listed extensions can also be binary, which is not supported.
The signed certificate for TLS server communication should be configured for server identification usage. The signed certificate for TLS client communication should also be configured for client identification usage. The same signed certificate may be used for both TLS client and TLS server communication if it is configured for both client validation and server validation.
To validate the certificates of the TLS clients and servers you communicate with, their CA signing certificates must be in the certificate store.

The certificate store already contains the certificates for many commercial CAs, and you can import additional certificates into the store if you need.
To help you test TLS communication between the Email Gateway and a test email server, the Email Gateway comes with a trial private key, signed certificate, and CA signing certificate already installed.
If you do not want to purchase a digital certificate from a third-party CA, or if you want to use digitally signing immediately, you can create your own self-signed TLS certificate.