Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

HOWTO: Requesting and installing a signed certificate for TLS

Expand / Collapse

This article applies to:

  • Trustwave MailMarshal (SEG)


  • How do I create a a certificate signing request for MailMarshal TLS?
  • How do I install a signed certificate returned from a Certificate Authority for MailMarshal TLS?


This article provides an overview of the steps required to use a CA certificate with MailMarshal TLS (Transport Layer Security).

  • Before working with certificates, always ensure that you have a valid backup of any existing certificate and/or private key.
    • MailMarshal does not back up certificates automatically. If you install a new certificate, the old certificate is permanently deleted.
    • Trustwave recommends that you keep copies of certificates separate from the servers, ideally off-site.
  • For important information about differences between MailMarshal versions, see the Notes at the end of this article.

To access MailMarshal TLS certificate management:

  1. Open the Inbound Security (TLS) item or tab for a server:
    • In the Configurator expand Server and Array Properties. Select a processing node server from the list, and click Server Properties. 
    • In the MailMarshal (SEG) 10.X Management Console, select Mail Servers and edit a server entry in the list.
  2. Select the Inbound Security (TLS) item or tab.

To create a Certificate Signing Request:

  1. From the Inbound Security (TLS) window, run the TLS Certificate Wizard.
  2. Choose to create a Certificate Signing Request.
  3. Enter the required information and complete the wizard. Copy the CSR or save it to a file, and include this information when you request a certificate from a Certificate Authority.
  4. MailMarshal also creates a private key file, and saves this file in the \NodeConfig folder within the MailMarshal installation on the processing node server.

To import a certificate that you received from the Certificate Authority:

    • If you have more than one processing server, ensure that you use the same server where you generated the CSR.
    • If the Certificate Authority uses a certificate chain (Intermediate Certificates) and you want connecting servers to be able to validate the certificate, you will need to perform additional steps. See Trustwave Knowledgebase article Q14063.
  1. From the Inbound Security (TLS) window, run the TLS Certificate Wizard.
  2. Choose to import a signed certificate.
  3. To import the certificate, browse to the certificate file.
    • You may need to select a different file extension or "all files" to select the file.
  4. You should not need to enter a private key filename. MailMarshal will use the private key file saved when you generated the request.
  5. Complete the wizard to import the certificate.

To use the same certificate on more than one processing node server:

  1. Request and import a certificate using one processing server.
  2. After importing the certificate, use the TLS Certificate Wizard to make a backup of the certificate and private key.
  3. On the other processing server(s), use the TLS Certificate Wizard to import the certificate from the backup.
    • Note:  If the certificate file includes Intermediate Certificates, do not use the wizards. Instead, copy the .pem files. See Trustwave Knowledgebase article Q14063.


  • In current releases of MailMarshal, the private key for a pending CSR is stored in a file named csrprivkey.pem and the CSR can be generated without overwriting an existing key. However, only one CSR can be pending on each server.
  • Warning: In MailMarshal 6.4 and below, if you create a CSR, any existing private key is overwritten and permanently lost.
    • If you need to use a previous certificate after creating a CSR, restore it from your backup copy.
  • All files are stored on the email processing server(s) in the \NodeConfig folder. (In a single server installation, this folder is still present within the installation.)
  • The certificate is stored in a file named cacert.pem
  • The private key is stored in a file named privkey.pem


To contact Trustwave about this article or to request support:

Rate this Article:

Related Articles

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster