search cancel

Certificate Authority used by the Email infrastructure


Article ID: 150745


Updated On:


Email Email


Please be aware that we're currently using two certificate chains, as we're eventually replacing DigiCert Global Root CA on all of our mail towers with DigiCert Global Root G2. However, this is taking place in a phased approach. 

For now, it is recommended that customers / business partners install the DigiCert Global Root G2 / DigiCert Global CA G2 pair, as well as DigiCert Global Root CA / DigiCert SHA2 Secure Server CA pair on their mail server's Trusted Root CA store or keystore file for SMG or DLP clients, this especially if they're enforcing TLS to our infrastructure to avoid delays or potential delivery issues.

If you are unable to install these certificates on your mail server, contact your mail server vendor.

Below is a table showing the current certificate chains used by ESS:

  New cert chain
Root Issuer: CN=DigiCert Global Root G2
Subject: CN=DigiCert Global Root G2
Intermediate Issuer: CN=DigiCert Global Root G2
Subject: CN=DigiCert Global CA G2


  Previous cert chain - still in use
Root Issuer: CN=DigiCert Global Root CA
Subject: CN=DigiCert Global Root CA
Intermediate Issuer: CN=DigiCert Global Root CA
Subject: CN=DigiCert SHA2 Secure Server CA


As part of the Broadcom Transition of the Symantec Enterprise Division, all renewals of root certificates on our mail towers will be under the 'Broadcom Inc' organization and under SHA-2 root.

What does this mean ?
This means that all renewed certificates on mail towers will eventually be signed by DigiCert Global Root G2 instead of DigiCert Global Root CA.

At present some of our mail towers already have the new certificate installed. During this temporary period however, specific mail towers within a cluster could have either root certificate. The changes to renew all certificates are taking place gradually in a phased approach. 

What is the Impact ?
In most cases, this will not cause any issues. However, some customers and business partners may have configured their mail server to only trust a specific root CA such as DigiCert Global Root CA.
These customers/business partners could face TLS email delivery failures with some Email Security.Cloud mail towers which have been updated to use the new DigiCert Global Root G2 cert.  


To download/verify these certificates, refer to DigiCert Trusted Root Authority Certificate.