My Oracle Support Banner

Controlling Certificates Presented In The Chain By Server To Clients (MMP/MTA/etc) (Doc ID 2626728.1)

Last updated on MARCH 25, 2022

Applies to:

Oracle Communications Messaging Server - Version 8.0.2 and later
Information in this document applies to any platform.


As part of a requirement to enable TLS for all inter-system communication within Messaging Server, LDAPS was configured for UG lookups on MMP.

The certificate being used on the DSEE is a public CA signed certificate. The DSEE presents 3 certificates in the chain:

0 - server cert (a wildcard domain certificate)
1 - the CA's intermediate certificate which signed the server cert and was applied to the DSEE
2 - the CA's root certificate which the DSEE has within it's built in CA truststore

The MMP was already providing TLS enabled services to POP & IMAP clients. The certificates in the MMP database were the same as 0 and 1 mentioned above. 2 was not included because clients will already have that in their CA truststore.

Initially, LDAPS for UG binding was not working:

Is there a way to control the certificate chain such that the root CA (2) is not presented to clients? It is not required to be presented since the intermediate is presented and the clients can validate the chain of trust. It is possible that old/bad clients will interpret the root CA cert as self-signed (because it is) and have an issue.


 Enable TLS for all inter-system communication within Messaging Server


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.