Set up the data migration service

3. Set up your TLS certificate

The data migration service communicates over TLS and requires your legacy environment to have a TLS certificate. The certificate must be signed and trusted by a third-party root certificate authority. You can't use the data migration service if your email server has a self-signed certificate.

Read more about TLS

Before you begin

When you create your certificate, we recommend that you:

  • Change the default size of your key ring from 512 to 2,048 bits.
  • Complete optional fields, like city or locality, when you create your key ring. Some certificate authorities require this information.
  • If your certificate authority provides both trusted root and intermediate certificates, install both types of certificates into the key ring before you merge your actual certificate.

Set up your certificate

Use a TLS certificate verifier to verify the installation and signing of the TLS certificate. If the TLS certificate is trusted, the verifier displays a successful connection message. It includes details about the TLS certificate and trusted internet root authority. If the certificate isn't trusted, the verifier displays a warning message.

Note: If you're checking the certificate of an IMAP server, specify port 993 in the verifier. For example,


Was this helpful?
How can we improve it?