What type of certificate should I use for TLS


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Transport Layer Security (TLS) functionality

Question:

  • What type of certificate should I use for TLS?
  • Do I need a self signed certificate or a CA signed certificate for TLS?

Reply:

Use of signed certificates is increasingly common.

To determine the type of TLS certificate required, understand why you are using TLS.

  • If the goal is to encrypt messages that are coming into your environment (to prevent casual eavesdropping) then a self-signed certificate is adequate.
    • You can use the MailMarshal TLS Certificate Wizard to create a self-signed certificate. When creating a self-signed certificate, the identifying information you enter in the wizard is not critical (the values will not affect the encryption of messages). You may want to select a longer key length to enhance security. The Common Name should be the external DNS name of the server if possible.
  • If the goal is not only encryption, but also public authentication or validation of the server, then you will need a certificate signed by a Certificate Authority (CA). You can use the MailMarshal TLS Certificate Wizard to create a certificate signing request to send to a certificate authority (such as Verisign)
    • For more advice on values to enter when creating this request please see Q14516 (What information do I enter in TLS wizard when I am creating a certificate signing request to send to a certificate authority?)

Last Modified 3/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle14515.aspx