Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

HOWTO: How do I use Intermediate Certificates with MailMarshal TLS?

Expand / Collapse

This article applies to:

  • Trustwave MailMarshal (SEG)
  • TLS Inbound Security functionality 


  • How do I use Intermediate Certificates with MailMarshal TLS?
  • How do I use certificate chains with MailMarshal TLS?


Although the SEG/MailMarshal user interfaces do not currently provide a way to import certificate chains, it is possible to use chained certificates issued by a Certificate Authority in SEG if required.

These instructions apply to current supported versions of SEG.

  1. Using the TLS Certificate Wizard in the MailMarshal Configurator or Management Console, generate a certificate signing request to send to a Certificate Authority (such as Trustwave, Thawte or Verisign). This CSR uses the private key generated and stored in the file privkey.pem on the MailMarshal node server.
    • Note: If you have more than one processing node and/or more than one email domain, you should ensure that all required DNS names are included in the certificate.
      • SEG 7.0 and above supports Subject Alternative Name (SAN) entries. See Knowledge Base article Q14516.
  2. You will receive a certificate from the CA. This will typically be a server certificate (not including any intermediate certificate or root CA certificate).
  3. Import the certificate to MailMarshal via the Configurator or MailMarshal (SEG) 10 Management Interface. This certificate will be written to the file cacert.pem on the specific email processing node.

At this point, TLS will function with a subset of other Mail Transport Agents (MTAs) that do not require intermediate certificates (such as another MailMarshal server).

  • Note: If you have more than one processing node, you must import a certificate to each node using the above method. This may be the same certificate or a different certificate as noted in Knowledge Base article Q14516. If you are importing the same certificate to additional nodes, you may also need to import the private key file (privkey.pem).

To use TLS with other MTAs that do require intermediate certificates, complete the following additional steps:

  1. Back up cacert.pem and privkey.pem
  2. Retrieve the necessary certificates to complete the chain. The procedures and required certificates will vary, but generally this includes the intermediate CA certificate responsible for signing the server certificate. Additional intermediate certificates could be required.
    • The CA root certificate should not be included in most cases (assuming the CA root is included in client repositories such as the Windows certificate store).
    • For assistance, ask the CA. 
  3. If necessary, export the intermediate CA certificates to DER encoded base64 using OpenSSL or another tool.
  4. Copy cacert.pem to a convenient temporary location.
  5. Open the temporary copy in a text editor.
  6. Paste in the root CA certificate and intermediate certificates (text from the DER files) in reverse order, for example:
    • Server cert
    • Intermediate cert 1 (that signed the server cert)
    • Intermediate cert 2 (that signed intermediate cert 1) if any
    Note: The chain might include more than one intermediate certificate. OpenSSL refers to these as the "Local Issuer" and one or more "Issuer" certificates.
  7. Save the file to the temporary location (NOT in the SEG or MailMarshal folder).
  8. Verify the validity of the certificate chain in the temporary file. This allows you to be sure that you have added all needed certificates in the correct order.
    • You can use the OpenSSL verify function. The syntax is openssl verify -CAfile cacert.pem cacert.pem (note the name of the certificate file is entered twice).
  9. Once you have verified the certificate file contains all needed certificates for a valid chain, copy the file into the SEG or MailMarshal folder (on each node, overwriting the existing cacert.pem)

At this point, MailMarshal will load the certificate chain when establishing TLS negotiations in the Receiver.

You can validate the certificate chain using free web based SSL test services provided by third parties.


  • You cannot use the SEG user interfaces to import a cacert.pem file that contains a chain of certificates. To use certificate chains, you must copy or edit the file directly on each node.

  • To obtain OpenSSL, see OpenSSL Light for Windows. You might also require the Visual C++ redistributables as linked from the OpenSSL download page.

  • Each time you generate a certificate or import a CA certificate from the MailMarshal Configurator or MailMarshal (SEG) 10 Management Interface, the private key (privkey.pem) can be overwritten. This will cause previously generated certificates to stop working. Always back up privkey.pem and cacert.pem before performing any other certificate tasks.

To contact Trustwave about this article or to request support:

Rate this Article:

Related Articles

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster