You are here: Setting Up ZixGateway Manager > Configuring the Server > Configuring the Server: TLS > Transport Layer Security (TLS) Certificates

Transport Layer Security (TLS) Certificates

Like all TLS servers, a TLS-enabled ZixGateway appliance requires a certificate and information about the Certification Authority (CA) that issued the certificate. You can create a self signed TLS certificate. This information is stored in standard base-64 encoded Privacy Enhanced Mail (PEM) format in these ZixGateway Manager fields:

Private Key: This is your private key for this appliance.
Server Certificate: This is the certificate for this appliance which is the matching companion to the private key.
Server Certificate Signing CA: This is the certificate used to sign the Server Certificate.

To verify certificates presented by other MTAs during TLS session initialization, ZixGateway must have a copy of the appropriate CA certificate. If the peer MTA has a certificate issued by the same CA as the ZixGateway, no further configuration is required. However, if the peer is using a certificate issued by another CA, the appropriate CA certificate must be installed.

There are three basic types of certificate authorities:

Self-signed
Certificate Authority—your own
Certificate Authority—external (such as Verisign)

To enable TLS, enter the private key and certificate information for your ZixGateway appliance. All three are entered in the same way.

To enter the private key for this ZixGateway's server certificate:

1. Select for the Private Key field.
2. Browse to your certificate repository and select the appropriate file.
3. Select Apply.

To enter the server certificate for this ZixGateway system:

1. Select for the Server Certificate field.
2. Browse to your certificate repository and select the appropriate file.
3. Select Apply.

To enter the certificate that signed the server certificate:

1. Select for the Server Certificate Signing CA field.
2. Browse to your certificate repository and select the appropriate file.
3. Select Apply.
Note: If there is a certificate chain included in a single .pem file, enter the chain file here. Otherwise, enter the certificate used to sign the Server Certificate. If the Server Certificate is a self-signed certificate, re-enter the server certificate here.

To replace any of the above, select , browse to your certificate repository and select the appropriate file. Select Apply. The previous entry will be replaced.

You may also wish to select a minimum TLS version once your certificates are configured.