Requesting and installing a signed certificate for TLS

This article applies to:

  • Trustwave MailMarshal (SEG)


  • How do I create a a certificate signing request for MailMarshal TLS?
  • How do I install a signed certificate returned from a Certificate Authority for MailMarshal TLS?


This article provides an overview of the steps required to use a CA certificate with MailMarshal TLS (Transport Layer Security).

  • Before working with certificates, always ensure that you have a valid backup of any existing certificate and/or private key.
    • MailMarshal does not back up certificates automatically. If you install a new certificate, the old certificate is permanently deleted.
    • Trustwave recommends that you keep copies of certificates separate from the servers, ideally off-site.
  • For important information about differences between MailMarshal versions, see the Notes at the end of this article.

To access MailMarshal TLS certificate management:

  1. Open the Inbound Security (TLS) item or tab for a server:
    • In the Configurator expand Server and Array Properties. Select a processing node server from the list, and click Server Properties. 
    • In the MailMarshal (SEG) 10.X Management Console, select Mail Servers and edit a server entry in the list.
  2. Select the Inbound Security (TLS) item or tab.

To create a Certificate Signing Request:

  1. From the Inbound Security (TLS) window, run the TLS Certificate Wizard.
  2. Choose to create a Certificate Signing Request.
  3. Enter the required information and complete the wizard. Copy the CSR or save it to a file, and include this information when you request a certificate from a Certificate Authority.
  4. MailMarshal also creates a private key file, and saves this file in the \NodeConfig folder within the MailMarshal installation on the processing node server.

To import a certificate that you received from the Certificate Authority:

    • If you have more than one processing server, ensure that you use the same server where you generated the CSR.
    • If the Certificate Authority uses a certificate chain (Intermediate Certificates) and you want connecting servers to be able to validate the certificate, you will need to perform additional steps. See Trustwave Knowledgebase article Q14063.
  1. From the Inbound Security (TLS) window, run the TLS Certificate Wizard.
  2. Choose to import a signed certificate.
  3. To import the certificate, browse to the certificate file.
    • You may need to select a different file extension or "all files" to select the file.
  4. You should not need to enter a private key filename. MailMarshal will use the private key file saved when you generated the request.
  5. Complete the wizard to import the certificate.

To use the same certificate on more than one processing node server:

  1. Request and import a certificate using one processing server.
  2. After importing the certificate, use the TLS Certificate Wizard to make a backup of the certificate and private key.
  3. On the other processing server(s), use the TLS Certificate Wizard to import the certificate from the backup.
    • Note:  If the certificate file includes Intermediate Certificates, do not use the wizards. Instead, copy the .pem files. See Trustwave Knowledgebase article Q14063.


  • In current releases of MailMarshal, the private key for a pending CSR is stored in a file named csrprivkey.pem and the CSR can be generated without overwriting an existing key. However, only one CSR can be pending on each server.
  • Warning: In MailMarshal 6.4 and below, if you create a CSR, any existing private key is overwritten and permanently lost.
    • If you need to use a previous certificate after creating a CSR, restore it from your backup copy.
  • All files are stored on the email processing server(s) in the \NodeConfig folder. (In a single server installation, this folder is still present within the installation.)
  • The certificate is stored in a file named cacert.pem
  • The private key is stored in a file named privkey.pem


Last Modified 3/1/2020.