The Workspace ONE UEM console permits a single trust certificate for KCD to be uploaded although SEG v2 can support multiple certificates to trust. If additional certificates are required, you must add them manually to the SEG configuration.

The SEG v2 configuration must be updated for multiple certificates to trust if, for example, a profile is updated to switch to a new Certificate Authority (CA) or update the certificate therein. Then, both certificates must be trusted on the SEG to accommodate end users until the new certificate is absorbed by all devices.

You can upload a single certificate from the Workspace ONE UEM console while configuring SEG for KCD. See Configure Secure Email Gateway (SEG) V2 for Kerberos Constrained Delegation (KCD).


  1. Export the full chain of certificates for the required CAs.
    Note: Ensure that this full chain contains both the root and intermediate certificates and only .pfx format certificate is supported.
  2. Move the certificates to the /config/ssl-certs path within the install directory of the SEG.
  3. Navigate to the config.json file within the config folder of the SEG directory.
  4. Modify the clientCertTrustStorePath file to include the certificate’s absolute paths as comma-separated values within quotes and save the file. For example:
  5. Restart the SEG service.