Clear search
Close search
Google apps
Main menu

Use G Suite certificates for secure transport (TLS)

How to access the TLS certificates

You can access the G Suite inbound and outbound Transport Layer Security (TLS) certificates in one of two ways:

  • Run the following command:
    openssl s_client -starttls smtp -connect [hostname]:25 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
  • Use the following Python snippet:
    import smtplib
    import ssl

    connection = smtplib.SMTP()
    print ssl.DER_cert_to_PEM_cert(connection.sock.getpeercert(binary_form=True))

For the [hostname], use the correct value as follows:

  • Inbound
  • Outbound (SMTP relay)
  • Outbound (MSA)

Search for other ways to access TLS certificates

To find other ways to access the certificates, search for extracting certificate from TLS server.

Note these guidelines about TLS certificates:

  • The certificates are signed by Google Internet Authority G2.
  • The certificates are shared across hosts.
  • Any given set of certificates has an expiration date. New certificates are rotated in before this date and while the new certificates are being deployed, you can use either certificate for a connection.
  • For communication between Gmail clients and servers, messages are encrypted over an HTTPS connection with 128-bit encryption, using TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM. The key exchange mechanism is ECDHE_RSA.

  • Communication between Gmail and non-Gmail clients and servers is supported using SSL3 through TLS1.2, and the client chooses from a list of ciphers, key exchange, and bit lengths.

  • Supported bits are 112/168 for DES, 128 for RC4, and 128 or 256 for Advanced Encryption Standard (AES).

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.