Search
Clear search
Close search
Google apps
Main menu
true

Enable hosted S/MIME for enhanced message security

This feature is only available with G Suite Enterprise.

You can enhance the integrity and confidentiality of your organization's email messages by enabling hosted Secure/Multipurpose Internet Mail Extensions (S/MIME). For S/MIME encryption to work, each sender and recipient must have it enabled. They also need to exchange information, called keys, to uniquely identify each other.

You can ensure that certain messages can’t be sent or received unless they are S/MIME encrypted or S/MIME signed. Learn about setting compliance and routing rules. Learn about enhancing message security with hosted S/MIME. 

See the Hosted S/MIME FAQ for additional information about client support and enhanced encryption.

Set up hosted S/MIME

To use hosted S/MIME, you enable it in the Google Admin console and then upload certificates to Gmail, either programmatically or through Gmail settings.  When users reload Gmail, they’ll see the change. Optionally, you can enable users to upload their own certificates and exchange them with each other to make it work.

Step 1: Enable hosted S/MIME

The following steps describe how to enable S/MIME and optionally use the advanced controls on S/MIME trusted certificates to upload and manage root certificates.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console dashboard, go to Appsand thenG Suiteand thenGmailand thenAdvanced settings.

    Tip: To see Advanced settings, scroll to the bottom of the Gmail page.

  3. On the left, under Organizations, select the domain or organization you want to configure.

    Important: If you’re configuring advanced controls on S/MIME to upload and manage root certificates, you must select the top-level organization, typically your domain.

  4. Scroll to the S/MIME setting; then check the Enable S/MIME encryption box.

  5. (Optional) If you want to let users upload certificates, check the Allow users to upload box.

  6. (Optional advanced controls) If you want to upload and manage root certificates, use the advanced controls for S/MIME trusted certificates:

    • Next to Accept these additional Root Certificates for specific domains, click Add.
    • Click Upload Root Certificate
    • Browse to select the certificate file and then upload it. You should see a verification message for the certificate that includes the subject name and expiration date. If there’s a problem with the upload, you’ll see an error message.
    • Under Encryption level, select the encryption level to use with this certificate.
    • Under Address list, enter at least one domain that will use the root certificate when communicating. Domain names can include wildcards that adhere to the RFC standard. If you enter more than one domain, separate them by commas.
    • Click Save.
    • Repeat for additional certificate chains.
  7. Check the Allow SHA-1 globally (not recommended) box only if your domain or organization must use Secure Hash Algorithm 1 (SHA-1). Learn more about the SHA-1 <<link to SHA option later >> option.
  8. Click Save

    Important: It can take up to an hour to enable and propagate hosted S/MIME to all user accounts. Messages sent during this time—as well as when you disable and re-enable S/MIME—are not encrypted.

Step 2: Have users reload Gmail

After you enable hosted S/MIME, have users reload Gmail to see the change. After reloading, a Lock icon appears in the Subject line of email messages. If the message is encrypted with hosted S/MIME, the lock is green.

Step 3: Upload certificates

To use hosted S/MIME encryption, S/MIME end-user certificates must be uploaded to Gmail. The certificate should meet current cryptographic standards and use the Public-Key Cryptography Standards (PKCS) #12 (a transfer syntax for personal identity information) archive file format. See this Internet Engineering Task Force document for information about PKCS #12.

The list of trusted certificates provided and maintained by Google applies only to Gmail for S/MIME. The list of CAs are trusted solely at Google's discretion and Google retains the right to remove root CAs at will, with or without reason.

We recommend that you upload certificates programmatically using the Gmail S/MIME API. If you’ve allowed users to upload certificates, you can also upload them from Gmail.

Note: You can also use the Gmail S/MIME API to manage things like viewing, deleting, and setting default user keys.

Step 4: Have users exchange keys

Your users need to exchange keys with email recipients in either of the following ways: 

  • Send an S/MIME signed message to recipients. The email will be digitally signed, and the signature will include the user's public key. The recipients will be able to use this public key to encrypt the emails they send to your user.
  • Ask recipients to send them a message. When they receive the message, it’s signed with S/MIME. The key is automatically stored and available. From this point forward, messages sent to this recipient are S/MIME-encrypted.

After you enable hosted S/MIME

After you enable hosted S/MIME, you can make sure that certain messages can’t be sent or received unless they are S/MIME encrypted or S/MIME signed. You set this up when you create compliance and routing rules. Learn about enhancing message security with hosted S/MIME and rules. 

You can relax certain security restrictions to conform with your domain’s existing S/MIME infrastructure. For example, you can upload root Certificate Authorities (CAs) that don't conform to the default and strictest security guidelines. 

Advanced controls on S/MIME trusted certificates

Google has a set of requirements for acceptable S/MIME certificates. However, your certificates may not conform to these standards, and depending on your configuration, you may notice that certain emails aren’t “trusted.” If so, you can chose to accept additional root certificates from CAs you trust.

To accept an additional root certificate, you upload it and then specify at least one domain that the certificate applies to. You can also adjust the certificate’s encryption level, or validation profile, if necessary.

Root certificate guidelines

Construct the certificate file for upload

Certificate guidelines

  • The certificate must be in .pem format and can only contain one root.
  • The certificate chain must include at least one intermediate certificate.
  • You should also provide an end-user certificate for each certificate chain. If it’s not included, Google only performs minimal verification.
  • The end-user certificate should not include the private key.

Important: At least one intermediate CA certificate must be present in the chain. That is, the root must not issue end-entity certificates directly.

The list of trusted certificates provided and maintained by Google applies only to Gmail for S/MIME. The list of CAs are trusted solely at Google's discretion and Google retains the right to remove root CAs at will, with or without reason.

Troubleshoot upload problems

Check the following to identify and resolve upload errors:

  • Certificate doesn't meet the minimum requirements to be trusted. Verify that the certificate isn’t self-signed, hasn’t been revoked, and that the key length isn’t less than 1,024 bits, and then try again.
  • Certificate has an invalid signature. Verify that the certificate has a valid signature, and then try again.
  • Certificate is expired. Verify that the certificate has a valid date, not in the past or future, and then try again.
  • Uploaded certificate chain contains at least one invalid certificate. Verify that the certificate is formatted correctly, and then try again.
  • Uploaded certificate contains multiple root certificates. Verify that the certificate has just one root certificate and try again.
  • Certificate couldn't be parsed. Verify that the certificate is formatted correctly, and then try again.
  • The server couldn’t parse the certificate, or there was some unknown response from the server. Verify that the certificate is formatted correctly, and then try again.
  • Unable to upload certificate. A problem occurred when communicating with the server. This is likely a temporary issue; wait a few minutes and try again. If the upload continues to fail, ensure that the certificate is formatted properly.
  • Edit a root certificate. You can edit a certificate to change the domains in the address list. For example, if you’ve uploaded custom certificates and your messages are still considered “non-trusted,” try changing the list of allowed domains.

Change the domains in the address list

  1. In the list of additional root certificates, select the certificate you want to change; then click Edit
  2. Make the change, and then click Save.

Note: You can’t change a certificate’s expiration date or use editing to replace a certificate. You need to delete the certificate and upload a new one. Deleting a root certificate won't affect any end-user certificates that have already been uploaded.

Delete a root certificate

In the list of additional root certificates, select the certificate you want to change, and then click Delete. 

When you may need to allow SHA-1

Some non-Gmail email clients may allow SHA-1 hashed signatures. By default, these signatures appear as untrusted because SHA-1 is a phased-out hash function (due to security issues). You should only select the Allow SHA-1 globally option if your organization communicates using the SHA-1 cryptographic hash function for S/MIME message security and you want these communications to appear as trusted. When this option is selected, Gmail will trust S/MIME certificates attached to inbound mail by entities using this phased-out algorithm.

Was this article helpful?
How can we improve it?
Sign in to your account

Get account-specific help by signing in with your G Suite account email address, or learn how to get started with G Suite.