Certificate Authority used by the Email Security.cloud infrastructure
Article ID: 150745
Updated On:
Products
Issue/Introduction
Please be aware that we're currently using two certificate chains, as we're eventually replacing DigiCert Global Root CA on all of our mail towers with DigiCert Global Root G2. However, this is taking place in a phased approach.
For now, it is recommended that customers / business partners install the DigiCert Global Root G2 / DigiCert Global CA G2 pair, as well as DigiCert Global Root CA / DigiCert SHA2 Secure Server CA pair on their mail server's Trusted Root CA store or keystore file for SMG or DLP clients, this especially if they're enforcing TLS to our infrastructure to avoid delays or potential delivery issues.
If you are unable to install these certificates on your mail server, contact your mail server vendor.
Below is a table showing the current certificate chains used by ESS:
| New cert chain | |
| Root | Issuer: CN=DigiCert Global Root G2 |
| Subject: CN=DigiCert Global Root G2 | |
| Intermediate | Issuer: CN=DigiCert Global Root G2 |
| Subject: CN=DigiCert Global CA G2 |
| Previous cert chain - still in use | |
| Root | Issuer: CN=DigiCert Global Root CA |
| Subject: CN=DigiCert Global Root CA | |
| Intermediate | Issuer: CN=DigiCert Global Root CA |
| Subject: CN=DigiCert SHA2 Secure Server CA |
Cause
As part of the Broadcom Transition of the Symantec Enterprise Division, all renewals of root certificates on our mail towers will be under the 'Broadcom Inc' organization and under SHA-2 root.
What does this mean ?
This means that all renewed certificates on mail towers will eventually be signed by DigiCert Global Root G2 instead of DigiCert Global Root CA.
At present some of our mail towers already have the new certificate installed. During this temporary period however, specific mail towers within a cluster could have either root certificate. The changes to renew all certificates are taking place gradually in a phased approach.
What is the Impact ?
In most cases, this will not cause any issues. However, some customers and business partners may have configured their mail server to only trust a specific root CA such as DigiCert Global Root CA.
These customers/business partners could face TLS email delivery failures with some Email Security.Cloud mail towers which have been updated to use the new DigiCert Global Root G2 cert.
Resolution
To download/verify these certificates, refer to DigiCert Trusted Root Authority Certificate.
- Root CA: DigiCert Global Root G2
- Intermediate CA: DigiCert Global CA G2
- Root CA: DigiCert Global Root CA
- Intermediate CA: DigiCert SHA2 Secure Server CA
Feedback
