Certificates secure and authenticate communications between client and server IP addresses or domains. You can generate a self-signed certificate or import a signed certificate that a Certificate Authority (CA) issues.
Note the differences between the types of certificates:
A self-signed certificate has not been signed by a certificate authority.
A root certificate authority certificate (root CA certificate) is the certificate identifying a specific certificate authority.
An intermediate certificate authority certificate (intermediate CA certificate) identifies an additional party with responsibility for a certificate, and may be required to provide a complete validation chain for the certificate signature.
A certificate authority-signed certificate has been signed by a certificate authority. In order to ensure that a certificate authority-signed certificate is accepted as valid, make sure that the CA certificate for the certificate authority that signed the certificate appears in the CA Certificates list on the Certificate Authority tab of the Certificate Settings page.
For successful HTTPS authentication using a CA certificate, there must be a complete "path" or "chain" from the client certificate to a CA certificate. Additionally, both participants in the negotiation must recognize the signing authority. Symantec Messaging Gateway includes pre-installed root CA certificates for the most common Certificate Authority vendors. The Certificate Authority tab on the Certificate Settings page lists the pre-installed root CA certificates. You can add additional root or intermediate CA certificates. Some certificate issuers require and provide an intermediate CA certificate for the certificates that they issue for additional security.
For SMTP/TLS authentication using a CA certificate, Symantec Messaging Gateway allows you to use a certificate even if there is not a complete path or chain from the client certificate to a CA certificate.
Symantec Messaging Gateway supports the following uses of certificates:
MTA TLS certificate
The inbound, outbound, and authentication mail processes in each Scanner use the TLS certificate that is assigned to them to accept messages for scanning and to send TLS-encrypted messages.
When you purchase or generate a certificate, you may be able to specify whether you intend to use it for SMTP/TLS or HTTPS. A certificate authority may require you to import an intermediate CA certificate in addition to the certificate itself. Make sure that you install both the certificate and any intermediate certificate that you receive from the certificate authority.
You can add CA-signed certificates to the list of available certificates in one of the following ways:
Generate a self-signed certificate by completing the Add Certificate page. The self-signed certificate is immediately available as an HTTPS certificate for the Control Center and for Scanner MTAs for accepting TLS encryption.
Add a certificate authority-signed certificate by submitting a certificate signing request that you generated on the Add Certificate page to a certificate authority. When you receive the certificate back from the certificate authority, save it locally and import it to the Control Center to add it to the list of available certificates.
Import a certificate authority-signed certificate that you previously exported from a Symantec Messaging Gateway appliance.
Update an existing certificate authority-signed certificate with a new certificate that differs only in dates of validity.
Add a certificate authority-signed certificate without generating a certificate signing request in the Control Center. You must first modify the certificate. The certificate must be in PEM format.