Overview

Sectigo Connector for Google Workspace ("the connector") is a solution for enrolling, uploading, and managing S/MIME email certificates for users in a Google Workspace domain.

Secure/Multipurpose Internet Mail Extensions (S/MIME) provides an added security level for email communications. S/MIME is based on asymmetric cryptography and lets users encrypt outgoing messages and attachments so that only intended recipients will be able to read the message.

Users can also digitally sign a message to prove the identity of the sender—​a digitally signed message assures the recipient that the message hasn’t been tampered with and verifies the identity of the sender.

Sectigo S/MIME certificates can be used for the following:

  • Sign outgoing mail messages with the user’s certificate and private key

  • Decrypt incoming mail messages with the user’s private key

  • Encrypt outgoing mail messages with the recipient’s certificate and public key

  • Verify incoming mail messages with the sender’s certificate and public key

Audience

This guide is intended for IT administrators and system administrators, who manage a Google Workspace Enterprise Plus account for an organization, and are responsible for provisioning and managing S/MIME email certificates for users in a Google Workspace domain.

Scope

This guide contains instructions for enrolling and managing Sectigo S/MIME certificates in Google Workspace Enterprise Plus. It also covers creation of a service account with domain-wide delegation of authority.

Architecture

S/MIME Connector architecture

The connector allows an administrator of a Google Workspace domain to perform the following operations for the domain users:

  • Generate and upload S/MIME keys

    • Obtain a client certificate from SCM

    • Create a .p12 package (an S/MIME key)

    • Upload the S/MIME key to the user’s Gmail account

  • Update S/MIME keys that are nearing expiry

    • Renew certificates that are about to expire (within the defined range, for example, 30 days or less)

    • Upload the renewed S/MIME key to the user’s Gmail account

The connector uses the Gmail S/MIME API to upload and manage S/MIME email certificates for users in a Google Workspace domain. Each S/MIME certificate is for a specific alias for a user email account. Aliases include the primary email address and custom Send As addresses. A single S/MIME certificate is marked as the default for each alias.

Package contents

The connector’s package contains the following:

  • smime-connector-<version>.jar: The connector in the Java archive (JAR) format

  • application.properties: This file contains the SCM customer-specific connection properties allowing the connector to obtain client certificates for the Google Workspace domain users. See the application properties for more information.

  • SCM Client EULA v1.0.1.txt: The EULA agreement. You need to accept it when running the connector for the first time.