Enterprise Vault™ Setting up IMAP

Last Published:
Product(s): Enterprise Vault (12.3)

Obtaining SSL certificates

If you intend to secure IMAP connections using SSL, you must obtain an SSL certificate to authenticate the Enterprise Vault servers that will operate as IMAP endpoints. You can use a single certificate that authenticates multiple servers, or use a separate certificate for each.

You can use any suitable tool to request a certificate from a recognized certificate authority (CA). For example, you can use OpenSSL which is installed in the Enterprise Vault installation folder.

Note the following requirements and recommendations:

  • Certificates must be in PEM format and Base64-encoded.

  • Your SSL certificate must include the fully qualified domain names of the endpoints that IMAP clients will connect to. For each endpoint, this is the Alias you assign when you create it.

  • A 2048-bit RSA key is recommended.

You can use the following OpenSSL syntax to create a certificate request, and a 2048-bit RSA key:

openssl req -new -newkey rsa:2048 -nodes -subj "/C=country/ST=state/L=locality/O=org/OU=org_unit/CN=endpoint_alias" -keyout key_file -out csr_file


  • country is the country in which your organization is based.

  • state is the state in which your organization is based.

  • locality is the town or city in which your organization is based.

  • org is the name of your organization.

  • org_unit is the requesting department in your organization.

  • endpoint_alias is the fully qualified domain name of the alias for one of the endpoints to which users will make IMAP connections.

  • key_file is the name of the file that will contain the certificate key.

  • csr_file is the name of the file that will contain the certificate signing request (CSR).

For example:

openssl req -new -newkey rsa:2048 -nodes -subj "/C=US/ST=California/L=Cupertino/O=Veritas Technologies LLC/OU=IT Security/CN=imap.example.com" -keyout ev-imap-key.key -out ev-imap-csr.pem

In this example, two files are generated. You should send the CSR file to the CA, and retain the key file ready for subsequent configuration of the IMAP endpoints.

In a typical Enterprise Vault environment, which would use load balancing to distribute IMAP requests across multiple Enterprise Vault servers, you only need to request a certificate that authenticates the single fully qualified domain name assigned to the load balancer.

You can also use multiple endpoint aliases, for example to support geographical or organizational divisions in your organization. If you need to use multiple endpoint aliases, you can specify the additional aliases as Subject Alternate Names (SANs) when you make the request. The certificate you receive from the CA can then be used for all the endpoint aliases. Alternatively, you can request a separate certificate for each endpoint alias.

Ensure that the certificate you request contains all the intermediate certificates you need for clients to establish a chain of trust to a root CA.

Most CAs issue certificates in PEM format (.pem, .crt, .cer, or .key). If you receive a certificate in a different format, you must convert it to PEM format. For example, if you receive a p7b format file, you can use the following OpenSSL syntax to convert the certificate:

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem


  • certificate.p7b is the p7b file you received from the CA.

  • certificate.pem is the PEM format file you want to create.

For example:

openssl pkcs7 -print_certs -in cert.p7b -out ev-imap-cert.pem

When you configure IMAP endpoints, you can then use the certificate and key files that you have created.


When you create and configure each IMAP endpoint, you are prompted separately for a certificate file and an associated key file. If you have a single file that contains both the certificate and the key, you should specify the same file in each case.