2017/06/23

G Suite Enterprise – CA List for S/MIME Encryption

My company just recently enabled G Suite Enterprise on our Google Accounts in an attempt to provide a more seamless process for email encryption. We ran into a bit of an issue though, our certificate chain wasn’t trusted. Throwing out this message when attempting to upload anything.

This proved very odd to us, as the company uses Digicert as a provider, which is a very popular certificate authority. We got in touch with our Google Account Manager and Solutions Engineer/Sales Engineer to help get a point of reference for what was happening.

The Solutions Engineer had us go through the following steps (to be fair most of which we already tried):

  • Add root CA, intermediary CA, certificate chain in one export and
    attempt to upload.
  • Upload just certificate.
  • Provide a sample set
    certificate to give to Google

After going through this process and reaching the final step, he finally presented me with a list of CA’s they pull from.

I have to note that this is in no way a complete list. Knowing Google, I am sure they don’t use a single source of information. However, this is is a great way to at least see any potential risks in terms of what you are going to be able to use prior to purchasing G Suite Enterprise.

G Suite Enterprise – CA List for S/MIME

At the time of writing (2017/06/20) they supported the following Digicert certificates:

Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G2
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root G3
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G3
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Trusted Root G4

This again, is not comprehensive. As you can judge by the file in question and the list, even though the “Digicert Assured ID Root CA” certificate is listed, it is not in Google’s trusted store.

I would love to be able to pull the full list of certificates from Google, or be able to validate their current list in some way. I am still asking our Google SE to provide the full list, but, for now, there is at least some new information out there. As I was not able to find a tiny relation to this link when searching for issues that could help my cause when we first flipped the switch.

Update 7/17
As of today, this still hasn’t been accomplished, even through they have told me multiple times that the new certs would be imported. Which is definitely a bummer, though, I am not all that surprised. The reasoning that was given was:

I asked about what the hold up has been and there was an internal fire drill that caused some delays in the binary releases.

No idea what this means, so, thats a bummer, and while our SE has been helpful in keeping tabs on it, this information is somewhat vague.

Update 2019/05/30
During the past year, Google has made some rather large feature sets into this, and it definitely works much better than it did during the time of writing. As mentioned below, if you create the DigiCert Full Chain CA along with your personal cert, you should have the ability to allow for DigiCert to be uploaded for use with S/MIME within G Suite.

Though in the words of our InfoSec staff, it still isn’t S/MIME.

G Suite, S/MIME
5 Comments
  1. Jordi Garcia 2017/12/20 at 10:33 Reply

    We have the same issue with GSuite enterprise and Digicert. We are using the premium certificates. Did you get it working? The CA they use is now supported by GSuite but still get the same error as you.
    https://support.google.com/a/answer/7448393?hl=en

    The cert is constructed just fine with the cert+private key+ca+root but it fails to upload.
    Our google support rep said that it could be because the cert has the X509v3 Extended Key Usage as “TLS Web Client Authentication” and that is not allowed as per the following:
    https://support.google.com/a/answer/7300887
    That should only contain “E-mail Protection”.

    Not sure if we need to use a custom CSR during the cert creation or use one of the cheaper certs which don’t offer that TLS Web Client Authentication “feature”.

    • I have found that Google’s cert / S/MIME implementation is incredibly gimmicky.

      For a short while we were able to do the above, combining the full chain in the certificate we were uploading – and then Google changed the process three weeks later.

      They implemented a new feature where you could upload a RootCA. Even after uploading a Trusted CA to use ( Cert + Private Key, Intermediary Cert, Root CA), we are still unable to upload certificates because Google states that they are untrusted even though our certs do follow the spec sheet they have provided.

      At this point, I am not sure – as I am still waiting to hear back from our Support Rep/Account Manager to try and get us more helpful information. Sorry.

    • Hey Jordi,

      As a follow up – it has taken me nearly three months to get anywhere with this. Google has modified something on their side to cause this issue, as the same certificates that were uploaded at one point now fail.

      I have spent numerous hours with them on the phone, calling our Account Rep, trying to get in touch with someone that would have enough clearance or relevance to get us where we need to.

      At this point, the only thing I can say is that I would NOT recommend G Suite Enterprise with Digicert, and honestly – probably just in general due to the many headaches. G Suite Standard works fine, and using an email client (IE: Thunderbird) to perform S/MIME with works just as fine.

      You wouldn’t need to use a custom CSR – but you would need to reach out to your DigiCert account rep and ask for a custom certificate. The initial price of this was ~$5000 just to test the functionality – which is fairly steep to me.

      • Jordi Garcia Godia 2018/03/03 at 04:05 Reply

        Thanks for getting back to me Andrew. I agree with you. I was just thinking that I needed to find some other provider as DigiCert and Google don’t play nicely with each other.
        I asked for recommendations to Google for a provider that would work but they couldn’t recommend any because they don’t have any affiliations with them.
        We use DigiCert for any other cert that we need but is just taking us too much time and energy to try and sort this out. They are also not very cooperative to be honest.
        Do you know of any that will work?

        • Hey,

          We ended up solving our problem and it was really dumb.

          Our entire issue was due to a local policy setting on a sub-ou, however the sub-ou’s don’t show the custom SSL Certificate option. Which led all of the support engineers and myself to believe that it would inherit the org structure.

          I need to update this post explaining how to, but you can now add custom certificates as long as you include the full chain.

Leave a Reply