This article applies to:

• Trustwave MailMarshal (SEG)
• TLS Inbound Security functionality 

Question:

• How do I use Intermediate Certificates with MailMarshal TLS?
• How do I use certificate chains with MailMarshal TLS?

Procedure:

Although the SEG/MailMarshal user interfaces do not currently provide a way to import certificate chains, it is possible to use chained certificates issued by a Certificate Authority in SEG if required.

These instructions apply to current supported versions of SEG.

1. Using the TLS Certificate Wizard in the MailMarshal Configurator or Management Console, generate a certificate signing request to send to a Certificate Authority (such as Trustwave, Thawte or Verisign). This CSR uses the private key generated and stored in the file privkey.pem on the MailMarshal node server.
   • Note: If you have more than one processing node and/or more than one email domain, you should ensure that all required DNS names are included in the certificate.
     • SEG 7.0 and above supports Subject Alternative Name (SAN) entries. See Knowledge Base article Q14516.
2. You will receive a certificate from the CA. This will typically be a server certificate (not including any intermediate certificate or root CA certificate).
3. Import the certificate to MailMarshal via the Configurator or MailMarshal (SEG) 10 Management Interface. This certificate will be written to the file cacert.pem on the specific email processing node.

At this point, TLS will function with a subset of other Mail Transport Agents (MTAs) that do not require intermediate certificates (such as another MailMarshal server).

• Note: If you have more than one processing node, you must import a certificate to each node using the above method. This may be the same certificate or a different certificate as noted in Knowledge Base article Q14516. If you are importing the same certificate to additional nodes, you may also need to import the private key file (privkey.pem).

To use TLS with other MTAs that do require intermediate certificates, complete the following additional steps:

4. Back up cacert.pem and privkey.pem
5. Retrieve the necessary certificates to complete the chain. The procedures and required certificates will vary, but generally this includes the intermediate CA certificate responsible for signing the server certificate. Additional intermediate certificates could be required.
   • The CA root certificate should not be included in most cases (assuming the CA root is included in client repositories such as the Windows certificate store).
   • For assistance, ask the CA. 
6. If necessary, export the intermediate CA certificates to DER encoded base64 using OpenSSL or another tool.
7. Copy cacert.pem to a convenient temporary location.
8. Open the temporary copy in a text editor.
9. Paste in the root CA certificate and intermediate certificates (text from the DER files) in reverse order, for example:
   • Server cert
   • Intermediate cert 1 (that signed the server cert)
   • Intermediate cert 2 (that signed intermediate cert 1) if any
   Note: The chain might include more than one intermediate certificate. OpenSSL refers to these as the "Local Issuer" and one or more "Issuer" certificates.
10. Save the file to the temporary location (NOT in the SEG or MailMarshal folder).
11. Verify the validity of the certificate chain in the temporary file. This allows you to be sure that you have added all needed certificates in the correct order.
    • You can use the OpenSSL verify function. The syntax is openssl verify -CAfile cacert.pem cacert.pem (note the name of the certificate file is entered twice).
12. Once you have verified the certificate file contains all needed certificates for a valid chain, copy the file into the SEG or MailMarshal folder (on each node, overwriting the existing cacert.pem)

At this point, MailMarshal will load the certificate chain when establishing TLS negotiations in the Receiver.

You can validate the certificate chain using free web based SSL test services provided by third parties.

Notes:

• You cannot use the SEG user interfaces to import a cacert.pem file that contains a chain of certificates. To use certificate chains, you must copy or edit the file directly on each node.

• To obtain OpenSSL, see OpenSSL Light for Windows. You might also require the Visual C++ redistributables as linked from the OpenSSL download page.

• Each time you generate a certificate or import a CA certificate from the MailMarshal Configurator or MailMarshal (SEG) 10 Management Interface, the private key (privkey.pem) can be overwritten. This will cause previously generated certificates to stop working. Always back up privkey.pem and cacert.pem before performing any other certificate tasks.