SSL Certificate Chains

Summary

JEMHC runs on Java, which includes a set of root Certificate Authority (CA) certs.  If you are lucky enough to have an SSL certificate issued by a root CA, you're done, otherwise, a self-signed or 3rd party certificate chain needs to be extracted and made available to JEMHC in order for SSL connections to be established.  This page shows how an SSL servers trust-chain can be extracted and uploaded to JEMHC.

In the following example, the ROOT CA signs the 3rd party CA certificate, which in turn uses an Intermediate CA certificate to sign user SSL certificates.  In order for JEMHC to validate Your SSL certificate, it must have the entire chain up to the ROOT CA.  In some cases, the root CA is signed by itself (self-signed).

  • ROOT Certificate Authority (CA)                 <---------------------------- First (required)

    • example 3rd party CA                       <---------------------------- Second (required)

      • example Intermediate CA       <---------------------------- Third (required)

        • Your SSL certificate

Adding a Custom SSL certificates

The following shows how to get the certificate chain for a given SSL service.  There are two approaches, the first is automated, if there are problems, a manual approach is also given (linux oriented) if you use windows, ask your network administrator for the certificate chain.

Services

Service

Example Host

Example Port

Service

Example Host

Example Port

POP

pop.gmail.com

995 (SSL)

IMAP

imap.gmail.com

993 (SSL)

SMTP

smtp.gmail.com

465 (SSL), 587 (TLS)

POP3

outlook.office365.com

995 (SSL)

IMAP4

outlook.office365.com

993 (SSL)

SMTP

smtp.office365.com

587 (TLS)

POP3

pop-mail.outlook.com

995 (SSL)

IMAP

imap-mail.outlook.com

993 (SSL)

SMTP

smtp-mail.outlook.com

25 or 587 (TLS)

CA Chain extraction: The Easy Way

JEMHC can extract an SSL certificates signing chain, and store them in JEMHC for later use to validate the SSL connection.  

Navigate to Messaging > Certificates : SSL Certificate Chains and select Create:

Give the CA Chain a name (remember it may not be just usable for pops, but could also be used for imaps, and smtps) and set a Test Host (e.g. pop.gmail.com) and the connection port.  When set, click the Download Certificate button to get the chain.

 If connectivity is OK, the servers signing chain will be added to the Certificate section, including key details of the cert:

Once a chain has content, it can be re-tested as well as submitted, where it will be listed in the SSL Certicficate Chains section.  the certificate detail can be seen through the expandable (1) , the connection can also be retested (2).

Testing

Later, when selecting this SSL Chain, be aware that only the certs listed in the chain will be used to validate a remote server SSL certificate.

Testing the configuration can throw up a warning, shown below, which means the CA chain found a certificate that is already bundled with the default JAVA runtime, its less efficient to duplicate this by may be required when there are intermediate certs.

CA Chain extraction: The Linux Cmdline way

Issue the following command in a linux environment:

openssl s_client -host HOST -port PORT -prexit -showcerts

Output from that will be, for smtp:

andy@sol:~$ openssl s_client -host pop.gmail.com -port 995 -prexit -showcerts CONNECTED(00000003) depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIIXR7n5U+zrhEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTExNDQ3WhcNMTUwMzEwMDAwMDAw WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNcG9w LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALu3zgux obLjIM0IZYlagFbgASXdal76z9voVOoL1CjJ2V5D8Q9NiDOx8VPeu0d7Wam7Z5V5 QWCLu7TQuUVYDj4R9uErvAvmymjsiBPGYHwafbPU9osiRZBJGkZqr8+xIHnJkMLG m/NHCpoWvJsMdJnrxxENoez6SUgpXAXvOf9hver/O6al7D5vk466CRnK4/RkiuXO xGxBiJCmdzWnT6sOypLl5l0l4GZ0+kOXLGInBBGoiX2qbJstadhotfnsvu4zfTjv 0KqfMREDKXpV3Vkop9A+ATasMobif+PtSH/XUv6qrbzUwYVGXj5XafylLqBnsbZ0 CSIge0aaG1GvzMUCAwEAAaOCAUAwggE8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAYBgNVHREEETAPgg1wb3AuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV HQ4EFgQUHFg39+53pndt1/Rm5xCdCGmX/a8wDAYDVR0TAQH/BAIwADAfBgNVHSME GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAl3vdZqEMYhe3eFkpRqKpr61NFjbk6MSg 53GFVCz6J5T4vN71kllxYTLFrnwqxLeWjfYRwErT67cG9xSjSMJ1NDDw6LTWzYGW P6+wLJZuBYGTG5zzSEI+HvRkIFzWq71ZLA1YT3RbG4oV1zbW75gFuJVQ3Z4/7Cc1 tmAuHvYID1HaOwaG3VJPQwwKTSJltf3NHE3UjreGviwBBYgiokg2X29u/D0ApVwI z2OwnMxXw0didz/YBfLySOlZjVAvuOHGkrQd05fK2+74yMaKqdUkilHVS+h6bICn 3TUk0vxcwP0u2RcWT5w8cIZVHGidJ1vL3X7C1WY3J6ARrRnmUOHhyg== -----END CERTIFICATE----- 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE +5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6 8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8 VOBHBw== -----END CERTIFICATE----- 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE----- --- Server certificate subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com issuer=/C=US/O=Google Inc/CN=Google Internet Authority G2 --- No client certificate CA names sent --- SSL handshake has read 3717 bytes and written 431 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 16F16D9C10DBA32813FDED35B3DFEE3FCB642FB102E7BB02EE58FD4C5EAD4BDC Session-ID-ctx: Master-Key: 839E3511AFF87A3DF0FA52FF89AF79D84DFFA0D4AD6C9135B5CDC917D95F6220B8252E57C5181D525B47A946166E2BD5 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 28 3a bc cf 0f 50 48 5c-ca ed 48 89 81 77 5d 69 (:...PH\..H..w]i 0010 - df 94 01 fe a9 0a ba 04-63 98 a8 dc 97 83 27 fb ........c.....'. 0020 - cc 8e 7d c8 22 fd 6b ac-7d 38 3e 32 a2 21 14 a4 ..}.".k.}8>2.!.. 0030 - 35 02 56 54 da 35 dd a9-43 1f 6a 6b c1 f6 27 d6 5.VT.5..C.jk..'. 0040 - 8c 48 9f b8 4f c3 53 21-1d 6a 93 06 aa 21 c1 07 .H..O.S!.j...!.. 0050 - b0 40 67 f2 df 6a f5 80-b5 37 91 1d 04 25 c1 2a .@g..j...7...%.* 0060 - 42 d4 d0 b6 46 67 fa 63-99 84 0e 5f b9 ff 82 02 B...Fg.c..._.... 0070 - 1a 2a f4 42 02 2a 3d 41-33 1c 02 60 74 16 48 6f .*.B.*=A3..`t.Ho 0080 - e4 95 9d da 34 49 dc ff-d6 fc f9 9a a8 ac c2 13 ....4I.......... 0090 - 50 61 33 4b 9a 0e f1 07-15 2e f8 c0 b3 82 72 5b Pa3K..........r[ 00a0 - cf b8 cd b0 .... Start Time: 1419759419 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- +OK Gpop ready for requests

 

The user certificate above has the same CN as the host we are connecting to, in this case, pop.google.com.  This certificate is the site certificate, not a signer, it should not be uploaded.

Certificate chain 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com i:/C=US/O=Google Inc/CN=Google Internet Authority G2 -----BEGIN CERTIFICATE----- MIIEdDCCA1ygAwIBAgIIXR7n5U+zrhEwDQYJKoZIhvcNAQEFBQAwSTELMAkGA1UE BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxJTAjBgNVBAMTHEdvb2dsZSBJbnRl cm5ldCBBdXRob3JpdHkgRzIwHhcNMTQxMjEwMTExNDQ3WhcNMTUwMzEwMDAwMDAw WjBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN TW91bnRhaW4gVmlldzETMBEGA1UECgwKR29vZ2xlIEluYzEWMBQGA1UEAwwNcG9w LmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALu3zgux obLjIM0IZYlagFbgASXdal76z9voVOoL1CjJ2V5D8Q9NiDOx8VPeu0d7Wam7Z5V5 QWCLu7TQuUVYDj4R9uErvAvmymjsiBPGYHwafbPU9osiRZBJGkZqr8+xIHnJkMLG m/NHCpoWvJsMdJnrxxENoez6SUgpXAXvOf9hver/O6al7D5vk466CRnK4/RkiuXO xGxBiJCmdzWnT6sOypLl5l0l4GZ0+kOXLGInBBGoiX2qbJstadhotfnsvu4zfTjv 0KqfMREDKXpV3Vkop9A+ATasMobif+PtSH/XUv6qrbzUwYVGXj5XafylLqBnsbZ0 CSIge0aaG1GvzMUCAwEAAaOCAUAwggE8MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAYBgNVHREEETAPgg1wb3AuZ21haWwuY29tMGgGCCsGAQUFBwEBBFww WjArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcyLmNydDAr BggrBgEFBQcwAYYfaHR0cDovL2NsaWVudHMxLmdvb2dsZS5jb20vb2NzcDAdBgNV HQ4EFgQUHFg39+53pndt1/Rm5xCdCGmX/a8wDAYDVR0TAQH/BAIwADAfBgNVHSME GDAWgBRK3QYWG7z2aLV29YG2u2IaulqBLzAXBgNVHSAEEDAOMAwGCisGAQQB1nkC BQEwMAYDVR0fBCkwJzAloCOgIYYfaHR0cDovL3BraS5nb29nbGUuY29tL0dJQUcy LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAl3vdZqEMYhe3eFkpRqKpr61NFjbk6MSg 53GFVCz6J5T4vN71kllxYTLFrnwqxLeWjfYRwErT67cG9xSjSMJ1NDDw6LTWzYGW P6+wLJZuBYGTG5zzSEI+HvRkIFzWq71ZLA1YT3RbG4oV1zbW75gFuJVQ3Z4/7Cc1 tmAuHvYID1HaOwaG3VJPQwwKTSJltf3NHE3UjreGviwBBYgiokg2X29u/D0ApVwI z2OwnMxXw0didz/YBfLySOlZjVAvuOHGkrQd05fK2+74yMaKqdUkilHVS+h6bICn 3TUk0vxcwP0u2RcWT5w8cIZVHGidJ1vL3X7C1WY3J6ARrRnmUOHhyg== -----END CERTIFICATE-----

 

The remaining chain that JEMHC therefore needs in order to validate the site SSL certificate is:

1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIDAjp2MA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i YWwgQ0EwHhcNMTMwNDA1MTUxNTU1WhcNMTYxMjMxMjM1OTU5WjBJMQswCQYDVQQG EwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzElMCMGA1UEAxMcR29vZ2xlIEludGVy bmV0IEF1dGhvcml0eSBHMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AJwqBHdc2FCROgajguDYUEi8iT/xGXAaiEZ+4I/F8YnOIe5a/mENtzJEiaB0C1NP VaTOgmKV7utZX8bhBYASxF6UP7xbSDj0U/ck5vuR6RXEz/RTDfRK/J9U3n2+oGtv h8DQUB8oMANA2ghzUWx//zo8pzcGjr1LEQTrfSTe5vn8MXH7lNVg8y5Kr0LSy+rE ahqyzFPdFUuLH8gZYR/Nnag+YyuENWllhMgZxUYi+FOVvuOAShDGKuy6lyARxzmZ EASg8GF6lSWMTlJ14rbtCMoU/M4iarNOz0YDl5cDfsCx3nuvRTPPuj5xt970JSXC DTWJnZ37DhF5iR43xa+OcmkCAwEAAaOB5zCB5DAfBgNVHSMEGDAWgBTAephojYn7 qwVkDBF9qn1luMrMTjAdBgNVHQ4EFgQUSt0GFhu89mi1dvWBtrtiGrpagS8wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwNQYDVR0fBC4wLDAqoCig JoYkaHR0cDovL2cuc3ltY2IuY29tL2NybHMvZ3RnbG9iYWwuY3JsMC4GCCsGAQUF BwEBBCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL2cuc3ltY2QuY29tMBcGA1UdIAQQ MA4wDAYKKwYBBAHWeQIFATANBgkqhkiG9w0BAQUFAAOCAQEAJ4zP6cc7vsBv6JaE +5xcXZDkd9uLMmCbZdiFJrW6nx7eZE4fxsggWwmfq6ngCTRFomUlNz1/Wm8gzPn6 8R2PEAwCOsTJAXaWvpv5Fdg50cUDR3a4iowx1mDV5I/b+jzG1Zgo+ByPF5E0y8tS etH7OiDk4Yax2BgPvtaHZI3FCiVCUe+yOLjgHdDh/Ob0r0a678C/xbQF9ZR1DP6i vgK66oZb+TWzZvXFjYWhGiN3GhkXVBNgnwvhtJwoKvmuAjRtJZOcgqgXe/GFsNMP WOH7sf6coaPo/ck/9Ndx3L2MpBngISMjVROPpBYCCX65r+7bU2S9cS+5Oc4wt7S8 VOBHBw== -----END CERTIFICATE----- 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority -----BEGIN CERTIFICATE----- MIIDfTCCAuagAwIBAgIDErvmMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0 aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDIwNTIxMDQwMDAwWhcNMTgwODIxMDQwMDAw WjBCMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UE AxMSR2VvVHJ1c3QgR2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA2swYYzD99BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9m OSm9BXiLnTjoBbdqfnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIu T8rxh0PBFpVXLVDviS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6c JmTM386DGXHKTubU1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmR Cw7+OC7RHQWa9k0+bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5asz PeE4uwc2hGKceeoWMPRfwCvocWvk+QIDAQABo4HwMIHtMB8GA1UdIwQYMBaAFEjm aPkr0rKV10fYIyAQTzOYkJ/UMB0GA1UdDgQWBBTAephojYn7qwVkDBF9qn1luMrM TjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjA6BgNVHR8EMzAxMC+g LaArhilodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9jcmxzL3NlY3VyZWNhLmNybDBO BgNVHSAERzBFMEMGBFUdIAAwOzA5BggrBgEFBQcCARYtaHR0cHM6Ly93d3cuZ2Vv dHJ1c3QuY29tL3Jlc291cmNlcy9yZXBvc2l0b3J5MA0GCSqGSIb3DQEBBQUAA4GB AHbhEm5OSxYShjAGsoEIz/AIx8dxfmbuwu3UOx//8PDITtZDOLC5MH0Y0FWDomrL NhGc6Ehmo21/uBPUR/6LWlxz/K7ZGzIZOKuXNBSqltLroxwUCEm2u+WR74M26x1W b8ravHNjkOR/ez4iyz0H7V84dJzjA1BOoa+Y7mHyhD8S -----END CERTIFICATE-----

Referring a SSL Certificate Chain in Inbound/Outbound config

In Message Sources and Message Outbound configurations, a new parameter can be set when SSL is enabled.  The SSL Certificate Validation field can have 3 values:

  • JAVA Default CA Chain, this lists at last count around 87 CA's that are included in the JAVA runtime (cacerts) file, these are sufficient for most 'global' services, eg gmail.

  • User Supplied CA Chain, this selects one of the previously created CA chains.  When a given chain is selected, only the CA's therein are used (global CA list is not included)

  • Trust All Certificatesthis is for diagnosis only.  Trusting ALL remote SSL certificates opens up the possibility (unlikely but possible!) of a man-in-the-middle attack to expose your traffic between JEMHC and your mail server.

    After selecting the User Supplied CA Chain option, a further select is then available for the SSL Certificate Chain:

    Once the CA chain has been selected (1) , the connection can be tested (2), resulting in some brief information on waiting messages