2. Set up your TLS certificate

Skip this step if you're migrating data from a Google Workspace or Gmail account.

The data migration service communicates over TLS and requires your source account to have a TLS certificate. A third-party root certificate authority (CA) must sign and trust the certificate. If your email server has a self-signed certificate, you can't use the data migration service.

Before you begin

TLS and its predecessor, Secure Sockets Layer (SSL), are often both referred to as SSL.

When you create your certificate, we recommend that you:

• Change the default size of your key ring from 512 to 2,048 bits.
• Complete optional fields, like city or locality, when you create your key ring. Some CAs require this information.
• If your CA provides both trusted root and intermediate certificates, install both types of certificates into the key ring before you merge your actual certificate.

Step 1: (Optional) Create your certificate

You can usually purchase and manage TLS certificates from your domain host. If you use a TLS certificate from another company, you might need to generate a Certificate Signing Request (CSR). This request helps provide third-party certificate issuer information to your domain host so you can install the TLS certificate.

Step 2: Set up your certificate

Make sure your server is set up to allow TLS 1.2 connections.

Use a TLS certificate verifier to inspect the installation and signing of the TLS certificate. For example, DigiCert offers an SSL Certificate Checker. If the TLS certificate is trusted, the verifier displays a successful connection message. It includes details about the TLS certificate and trusted internet root authority. If the certificate isn't trusted, the verifier displays a warning message.

Note: If you're checking the certificate of an IMAP server, specify port 993 in the verifier. For example, mail.example.com:993.