Supported editions for this feature: Enterprise; Education Fundamentals, Education Standard, Teaching and Learning Upgrade, and Education Plus. Compare your edition
Google provides certificate requirements and trusted CA certificates for S/MIME. If your certificates don't meet these requirements, you may notice that certain messages aren’t trusted. To fix this, you can accept other root certificates, from root certificate authorities (CAs) that you trust.
To accept an additional root certificate, add it in your Google Admin console. Then, specify at least one domain that the certificate applies to. You can also optionally adjust the certificate’s encryption level and validation profile.
For detailed steps to turn on S/MIME in Google Workspace, visit Enable hosted S/MIME for message encryption.
On this page
- Root certificate guidelines
- Change the domain for a root certificate
- Delete a root certificate
- Troubleshoot root certificate upload issues
- Exchange S/MIME messages between domains
- Allow SHA-1 (not recommended)
Root certificate guidelines
Root certificates must meet these guidelines to be added in your Google Admin console for S/MIME:
- The certificate must be in .pem format and can contain only one root certificate.
- The certificate chain must include at least one intermediate certificate.
- Provide an end-user certificate for each certificate chain. If it’s not included, Google only performs minimal verification.
- The end user certificate should not include the private key.
Important: At least one intermediate CA certificate must be present in the chain. That is, the root must not issue end-entity certificates directly.
Change the domain for a root certificate
You can’t change a certificate’s expiration date or use editing to replace a certificate. You must delete the certificate and upload a new one. Deleting a root certificate won't affect any end-user certificates that have already been uploaded.
To change the domain for a root certificate:
- In your Google Admin console, go the S/MIME setting on the User Settings tab.
- In the table of additional root certificates, select the certificate you want to change; then click Edit.
- Update the domain, then click Save.
Delete a root certificate
To delete a root certificate:
- In your Google Admin console, go the S/MIME setting on the User Settings tab.
- In the table of additional root certificates, select the certificate you want to remove and click Delete.
Troubleshoot certificate upload issues
Check the following to identify and resolve upload errors:
- Certificate doesn't meet the minimum requirements to be trusted. Verify that the certificate isn’t self-signed, hasn’t been revoked, and that the key length isn’t less than 1,024 bits. Then, try uploading again.
- Certificate has an invalid signature. Verify that the certificate has a valid signature, and then try uploading again.
- Certificate is expired. Verify that the date on the certificate is within the date range specified in the Not Before (Date) and Not After (Date) fields. Then, try uploading again.
- Uploaded certificate chain contains at least one invalid certificate. Verify that the certificate is formatted correctly, and then try uploading again.
- Uploaded certificate contains multiple root certificates. Verify that the certificate has just one root certificate, and then try uploading again.
- Certificate couldn't be parsed. Verify that the certificate is formatted correctly, and then try uploading again.
- The server couldn’t parse the certificate, or there was some unknown response from the server. Verify that the certificate is formatted correctly, and then try uploading again.
- Unable to upload certificate. A problem occurred when communicating with the server. This is likely a temporary issue; wait a few minutes and try again. If the upload continues to fail, ensure that the certificate is formatted properly.
- Edit a root certificate. You can edit a certificate to change the domains in the address list. For example, if you’ve uploaded custom certificates and your messages are still considered “non-trusted,” try changing the list of allowed domains.
Exchange S/MIME messages between domains
To let people in different domains exchange S/MIME messages, you might need to take a few extra steps in your Google Admin console. Follow the recommended steps here, based on how the user certificates are issued for the domain.
- Both domain’s user certificates issued by a trusted root CA: When all user certificates in both domains are issued by a root CA trusted by Google, you don’t need to take any extra steps. These root CA certificates are always trusted by Gmail.
- Both domain’s user certificates issued by the same, untrusted root CA: In this case, an untrusted root CA issued the user certificates for your domain and the domain you want to exchange S/MIME messages with.
Add the untrusted root CA to your Google Admin console, following the steps in Enable hosted S/MIME. In the Add root certificate box, enter the other domain in the Address list field.
- One domain's user certificates issues by an untrusted root CA: In this case, one domain’s user certificates are issued by an untrusted root CA. The other domain’s user certificates are issued by a different root CA.
Add the other domain’s root CA to your Google Admin console, following the steps in Enable hosted S/MIME. In the Add root certificate box, enter the other domain in the Address list field.
Allow SHA-1 (not recommended)
Some email clients allow SHA-1 hashed signatures. SHA-1 hashed signatures appear to be untrusted because SHA-1 is deprecated because of security issues.
When you add a new root certificate to the S/MIME setting, select the Allow SHA-1 globally option only if:
- Your organization communicates using the SHA-1 cryptographic hash function for S/MIME message security, and
- You want these communications to appear as trusted.
When this option is selected, Gmail trusts S/MIME certificates attached to inbound mail by entities using SHA-1.
