SSL Certificate Chains
Summary
JEMHC runs on Java, which includes a set of root Certificate Authority (CA) certs. If you are lucky enough to have an SSL certificate issued by a root CA, you're done, otherwise, a self-signed or 3rd party certificate chain needs to be extracted and made available to JEMHC in order for SSL connections to be established. This page shows how an SSL servers trust-chain can be extracted and uploaded to JEMHC.
In the following example, the ROOT CA signs the 3rd party CA certificate, which in turn uses an Intermediate CA certificate to sign user SSL certificates. In order for JEMHC to validate Your SSL certificate, it must have the entire chain up to the ROOT CA. In some cases, the root CA is signed by itself (self-signed).
ROOT Certificate Authority (CA) <---------------------------- First (required)
example 3rd party CA <---------------------------- Second (required)
example Intermediate CA <---------------------------- Third (required)
Your SSL certificate
Adding a Custom SSL certificates
The following shows how to get the certificate chain for a given SSL service. There are two approaches, the first is automated, if there are problems, a manual approach is also given (linux oriented) if you use windows, ask your network administrator for the certificate chain.
Services
Windows Live (eg @outlook.com) - http://windows.microsoft.com/en-GB/windows/outlook/send-receive-from-app
Service | Example Host | Example Port |
---|---|---|
POP | 995 (SSL) | |
IMAP | 993 (SSL) | |
SMTP | 465 (SSL), 587 (TLS) | |
POP3 | 995 (SSL) | |
IMAP4 | 993 (SSL) | |
SMTP | 587 (TLS) | |
POP3 | 995 (SSL) | |
IMAP | 993 (SSL) | |
SMTP | 25 or 587 (TLS) |
CA Chain extraction: The Easy Way
JEMHC can extract an SSL certificates signing chain, and store them in JEMHC for later use to validate the SSL connection.
Navigate to Messaging > Certificates : SSL Certificate Chains and select Create:
Give the CA Chain a name (remember it may not be just usable for pops, but could also be used for imaps, and smtps) and set a Test Host (e.g. pop.gmail.com) and the connection port. When set, click the Download Certificate button to get the chain.
If connectivity is OK, the servers signing chain will be added to the Certificate section, including key details of the cert:
Once a chain has content, it can be re-tested as well as submitted, where it will be listed in the SSL Certicficate Chains section. the certificate detail can be seen through the expandable (1) , the connection can also be retested (2).
Testing
Later, when selecting this SSL Chain, be aware that only the certs listed in the chain will be used to validate a remote server SSL certificate.
Testing the configuration can throw up a warning, shown below, which means the CA chain found a certificate that is already bundled with the default JAVA runtime, its less efficient to duplicate this by may be required when there are intermediate certs.
CA Chain extraction: The Linux Cmdline way
Issue the following command in a linux environment:
openssl s_client -host HOST -port PORT -prexit -showcerts
Output from that will be, for smtp:
andy@sol:~$ openssl s_client -host pop.gmail.com -port 995 -prexit -showcerts
CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIIXR7n5U+zrhEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTExNDQ3WhcNMTUwMzEwMDAwMDAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNcG9w
LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALu3zgux
obLjIM0IZYlagFbgASXdal76z9voVOoL1CjJ2V5D8Q9NiDOx8VPeu0d7Wam7Z5V5
QWCLu7TQuUVYDj4R9uErvAvmymjsiBPGYHwafbPU9osiRZBJGkZqr8+xIHnJkMLG
m/NHCpoWvJsMdJnrxxENoez6SUgpXAXvOf9hver/O6al7D5vk466CRnK4/RkiuXO
xGxBiJCmdzWnT6sOypLl5l0l4GZ0+kOXLGInBBGoiX2qbJstadhotfnsvu4zfTjv
0KqfMREDKXpV3Vkop9A+ATasMobif+PtSH/XUv6qrbzUwYVGXj5XafylLqBnsbZ0
CSIge0aaG1GvzMUCAwEAAaOCAUAwggE8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg1wb3AuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUHFg39+53pndt1/Rm5xCdCGmX/a8wDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAl3vdZqEMYhe3eFkpRqKpr61NFjbk6MSg
53GFVCz6J5T4vN71kllxYTLFrnwqxLeWjfYRwErT67cG9xSjSMJ1NDDw6LTWzYGW
P6+wLJZuBYGTG5zzSEI+HvRkIFzWq71ZLA1YT3RbG4oV1zbW75gFuJVQ3Z4/7Cc1
tmAuHvYID1HaOwaG3VJPQwwKTSJltf3NHE3UjreGviwBBYgiokg2X29u/D0ApVwI
z2OwnMxXw0didz/YBfLySOlZjVAvuOHGkrQd05fK2+74yMaKqdUkilHVS+h6bICn
3TUk0vxcwP0u2RcWT5w8cIZVHGidJ1vL3X7C1WY3J6ARrRnmUOHhyg==
-----END CERTIFICATE-----
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE
+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6
8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS
etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i
vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP
WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8
VOBHBw==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2
---
No client certificate CA names sent
---
SSL handshake has read 3717 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 16F16D9C10DBA32813FDED35B3DFEE3FCB642FB102E7BB02EE58FD4C5EAD4BDC
Session-ID-ctx:
Master-Key: 839E3511AFF87A3DF0FA52FF89AF79D84DFFA0D4AD6C9135B5CDC917D95F6220B8252E57C5181D525B47A946166E2BD5
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 28 3a bc cf 0f 50 48 5c-ca ed 48 89 81 77 5d 69 (:...PH\..H..w]i
0010 - df 94 01 fe a9 0a ba 04-63 98 a8 dc 97 83 27 fb ........c.....'.
0020 - cc 8e 7d c8 22 fd 6b ac-7d 38 3e 32 a2 21 14 a4 ..}.".k.}8>2.!..
0030 - 35 02 56 54 da 35 dd a9-43 1f 6a 6b c1 f6 27 d6 5.VT.5..C.jk..'.
0040 - 8c 48 9f b8 4f c3 53 21-1d 6a 93 06 aa 21 c1 07 .H..O.S!.j...!..
0050 - b0 40 67 f2 df 6a f5 80-b5 37 91 1d 04 25 c1 2a .@g..j...7...%.*
0060 - 42 d4 d0 b6 46 67 fa 63-99 84 0e 5f b9 ff 82 02 B...Fg.c..._....
0070 - 1a 2a f4 42 02 2a 3d 41-33 1c 02 60 74 16 48 6f .*.B.*=A3..`t.Ho
0080 - e4 95 9d da 34 49 dc ff-d6 fc f9 9a a8 ac c2 13 ....4I..........
0090 - 50 61 33 4b 9a 0e f1 07-15 2e f8 c0 b3 82 72 5b Pa3K..........r[
00a0 - cf b8 cd b0 ....
Start Time: 1419759419
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
+OK Gpop ready for requests
The user certificate above has the same CN as the host we are connecting to, in this case, pop.google.com. This certificate is the site certificate, not a signer, it should not be uploaded.
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority G2
-----BEGIN CERTIFICATE-----
MIIEdDCCA1ygAwIBAgIIXR7n5U+zrhEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE
BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl
cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTExNDQ3WhcNMTUwMzEwMDAwMDAw
WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN
TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNcG9w
LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALu3zgux
obLjIM0IZYlagFbgASXdal76z9voVOoL1CjJ2V5D8Q9NiDOx8VPeu0d7Wam7Z5V5
QWCLu7TQuUVYDj4R9uErvAvmymjsiBPGYHwafbPU9osiRZBJGkZqr8+xIHnJkMLG
m/NHCpoWvJsMdJnrxxENoez6SUgpXAXvOf9hver/O6al7D5vk466CRnK4/RkiuXO
xGxBiJCmdzWnT6sOypLl5l0l4GZ0+kOXLGInBBGoiX2qbJstadhotfnsvu4zfTjv
0KqfMREDKXpV3Vkop9A+ATasMobif+PtSH/XUv6qrbzUwYVGXj5XafylLqBnsbZ0
CSIge0aaG1GvzMUCAwEAAaOCAUAwggE8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAYBgNVHREEETAPgg1wb3AuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww
WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr
BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV
HQ4EFgQUHFg39+53pndt1/Rm5xCdCGmX/a8wDAYDVR0TAQH/BAIwADAfBgNVHSME
GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC
BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy
LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAl3vdZqEMYhe3eFkpRqKpr61NFjbk6MSg
53GFVCz6J5T4vN71kllxYTLFrnwqxLeWjfYRwErT67cG9xSjSMJ1NDDw6LTWzYGW
P6+wLJZuBYGTG5zzSEI+HvRkIFzWq71ZLA1YT3RbG4oV1zbW75gFuJVQ3Z4/7Cc1
tmAuHvYID1HaOwaG3VJPQwwKTSJltf3NHE3UjreGviwBBYgiokg2X29u/D0ApVwI
z2OwnMxXw0didz/YBfLySOlZjVAvuOHGkrQd05fK2+74yMaKqdUkilHVS+h6bICn
3TUk0vxcwP0u2RcWT5w8cIZVHGidJ1vL3X7C1WY3J6ARrRnmUOHhyg==
-----END CERTIFICATE-----
The remaining chain that JEMHC therefore needs in order to validate the site SSL certificate is:
1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG
EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy
bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP
VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv
h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE
ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ
EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC
DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7
qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD
VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig
JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF
BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ
MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE
+5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6
8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS
etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i
vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP
WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8
VOBHBw==
-----END CERTIFICATE-----
2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
-----BEGIN CERTIFICATE-----
MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw
WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE
AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m
OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu
T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c
JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR
Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz
PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm
aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM
TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g
LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO
BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv
dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB
AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL
NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W
b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S
-----END CERTIFICATE-----
Referring a SSL Certificate Chain in Inbound/Outbound config
In Message Sources and Message Outbound configurations, a new parameter can be set when SSL is enabled. The SSL Certificate Validation field can have 3 values:
JAVA Default CA Chain, this lists at last count around 87 CA's that are included in the JAVA runtime (cacerts) file, these are sufficient for most 'global' services, eg gmail.
User Supplied CA Chain, this selects one of the previously created CA chains. When a given chain is selected, only the CA's therein are used (global CA list is not included)
Trust All Certificates, this is for diagnosis only. Trusting ALL remote SSL certificates opens up the possibility (unlikely but possible!) of a man-in-the-middle attack to expose your traffic between JEMHC and your mail server.
After selecting the User Supplied CA Chain option, a further select is then available for the SSL Certificate Chain:
Once the CA chain has been selected (1) , the connection can be tested (2), resulting in some brief information on waiting messages