How to manually add the ca.crt client certificate for Secure Email Proxy.
search cancel

How to manually add the ca.crt client certificate for Secure Email Proxy.


Article ID: 178564


Updated On:


Mobility Suite




1. Copy the CA cert to the /usr/local/nginx/certs/ as 'ca.crt'


2. Edit the Nginx configuration file by typing the following command in the Terminal:

vi /usr/local/nginx/conf/nginx.conf


3. Add the following two lines:

ssl_client_certificate /usr/local/nginx/certs/ca.crt;

ssl_verify_client optional;


These two lines should be input into the 'nginx.conf' file after the following lines:

server {

    listen        443;

    ssl on;



    ssl_certificate      /usr/local/nginx/certs/server.crt;

    ssl_certificate_key  /usr/local/nginx/certs/server.key;


And before these lines:

location / {

        root           /var/www/;


        fastcgi_param  SCRIPT_FILENAME /var/www/;

        fastcgi_param  VERIFIED $ssl_client_verify;

        fastcgi_param  DN $ssl_client_s_dn;

        include        fastcgi_params;




4. Type service nginx restart through the Terminal.


In order to collect the ca.crt file from a p12 formatted .pfx file, refer to for instructions on its extraction through the Terminal.

For instructions on setting up the Secure Email Proxy from start to finish, refer to

Ensure that selinux is not set to enforcing. It needs to be set to permissive or disabled for it to function properly. If the server.key and server.crt files do not make it down to the device and there are java errors that appear in the /usr/local/nginx/logs/controller.log file, then this is indicative of a proxy that has its selinux set to enforcing.

Additional Information


The following values are being included into this document for searchability:

NSURLErrorDomain error -1012

NSURL -1001

These are possible errors captured on the logs of a Mobile Device that could have mis-configured Secure Email Proxy.