Hornetsecurity has two different TLS certificates stored, which are used for encrypting the email connection. These apply both to antispameurope.com and hornetsecurity.com. Below you will find the specific information for both certificates:
TLS Certificate antispameurope.com
The TLS certificates used by Hornetsecurity for encrypting the email connection will be changed on July 16, 2026 - 3PM CET. The supported protocols and ciphers will NOT be changed.
MTAs (inbound): mx-gate<number>-<location-Tag>.antispameurope.com
MTAs (outbound): mx-relay-haj2<number>-<location-Tag>.antispameurope.com
Mail Domain: Various mail domains of our customers
Old Certificate Serial Number: 070322C101AF3301582F925694AEA979
Old Certificate Validity Not Before: Jul 15 09:55:48 2025 GMT
Old Certificate Validity Not After: Jul 19 23:59:59 2026 GMT
If you use certificate pinning, the certificate must be updated accordingly. Your environments must trust the new certificate, including the new root and intermediate certificates listed below. The configuration of your system's trust center must be adjusted by the day of the change. The configuration can be done immediately and has no impact on ongoing email exchange.
The new certificate information is as follows:
Certificate details:
Serial Number: 18171054D230DCC0F3CD9570BD74C8BC
Validity Not Before: Jun 30 05:43:19 2026 GMT
Validity Not After : Jul 13 23:59:59 2027 GMT
Organization: Hornetsecurity GmbH
SHA256 Fingerprint= 84:E5:0E:AF:F9:B5:65:A1:A4:AF:55:0B:15:EC:0B:24:BD:8E:88:D4:78:90:33:25:A8:01:85:52:E3:DD:92:7D
---
Intermediate CA: Telekom Security OV RSA CA 26A
Download Intermediate Certificate: https://www.telesec.de/assets/downloads/PKI-Repository/CA_Telekom_Security_OV_RSA_CA_26A.cer
Intermediate CA: Fingerprint (SHA1):
91:89:A9:4B:C3:B7:EA:4A:53:63:CF:4F:7C:5F:C0:9C:4B:D3:EC:B6
---
Root CA: Telekom Security TLS RSA Root 2023
Download Root Certificate: https://www.telesec.de/assets/downloads/PKI-Repository/Telekom_Security_TLS_RSA_Root_2023.cer
Root Certificate Fingerprint (SHA1):
54:D3:AC:B3:BD:57:56:F6:85:9D:CE:E5:C3:21:E2:D4:AD:83:D0:93
What do I need to do?
If you do not use certificate pinning, usually no changes are required on your side. However, if you need to share SSL/TLS certificate details with certain communication partners due to internal policies or compliance requirements, please note the certificate information above.
How can I tell if I am using certificate pinning?
Certificate pinning is a security technique that ensures your application only trusts certain SSL/TLS certificates, usually from trusted sources. This helps prevent man-in-the-middle attacks by rejecting unexpected or forged certificates, even if they appear valid.
If your email system is explicitly configured to trust only certain fingerprints of public keys or certified hashes, you are likely using certificate pinning. This is common in mobile applications, custom API clients, or environments with strict security requirements. If you are unsure whether you use certificate pinning, we recommend contacting your IT department, managed service provider (MSP), cybersecurity team, or the local admin responsible for managing the email infrastructure. Unfortunately, Hornetsecurity cannot provide this information from our side.
TLS Certificate hornetsecurity.com
The TLS certificates used by Hornetsecurity for encrypting the email connection will be changed on September 10, 2025 - 5:00 PM CEST. The supported protocols and ciphers will NOT be changed.
MTAs (inbound): mx-gate<number>-<location-Tag>.hornetsecurity.com
MTAs (outbound): mx-relay-haj2<number>-<location-Tag>.hornetsecurity.com
Mail Domain: Various mail domains of our customers
Old Certificate Serial Number: 1B4A467D9B07361003CF0F23056FC4FC
Old Certificate Validity Not Before: Sep 9 15:40:57 2024 GMT
Old Certificate Validity Not After: Sep 13 23:59:59 2025 GMT
If you use certificate pinning, the certificate must be updated accordingly. Your environments must trust the new certificate, including the new root and intermediate certificates listed below. The configuration of your system's trust center must be adjusted by the day of the change. The configuration can be done immediately and has no impact on ongoing email exchange.
The new certificate information is as follows:
Certificate details:
Serial Number: 01C0945EF55EA21142ED09BB36DAAA2F
Validity Not Before: Aug 15 05:27:23 2025 GMT
Validity Not After : Aug 19 23:59:59 2026 GMT
Organization: Hornetsecurity GmbH
SHA256 Fingerprint= D8:52:51:C0:F1:0E:A3:92:C4:09:99:5F:FF:97:6E:B6:2B:E0:C0:DE:BB:02:F8:9C:0C:B5:0C:2E:5B:C3:18:87
---
Intermediate CA: Telekom Security ServerID OV Class 2 CA
Download Intermediate Certificate: http://crt.serverid.telesec.de/crt/Telekom_Security_ServerID_OV_Class_2_CA.crt
Intermediate CA: Fingerprint (SHA1):
52:86:9C:EF:1A:21:95:C4:16:82:0C:18:3B:80:C9:95:BB:BF:BE:DC
---
Root CA: T-TeleSec GlobalRoot Class 2
Download Root Certificate: http://pki.telesec.de/rl/GlobalRoot_Class_2.crt
Root Certificate Fingerprint (SHA1):
59:0D:2D:7D:88:4F:40:2E:61:7E:A5:62:32:17:65:CF:17:D8:94:E9
What do I need to do?
If you do not use certificate pinning, usually no changes are required on your side. However, if you need to share SSL/TLS certificate details with certain communication partners due to internal policies or compliance requirements, please note the certificate information above.
How can I tell if I am using certificate pinning?
Certificate pinning is a security technique that ensures your application only trusts certain SSL/TLS certificates, usually from trusted sources. This helps prevent man-in-the-middle attacks by rejecting unexpected or forged certificates, even if they appear valid.
If your email system is explicitly configured to trust only certain fingerprints of public keys or certified hashes, you are likely using certificate pinning. This is common in mobile applications, custom API clients, or environments with strict security requirements. If you are unsure whether you use certificate pinning, we recommend contacting your IT department, managed service provider (MSP), cybersecurity team, or the local admin responsible for managing the email infrastructure. Unfortunately, Hornetsecurity cannot provide this information from our side.
Further information and any announcements will be provided via our status page:
https://live.hornet-status.com/
The status page allows you to monitor our services and their availability from a central location. If you have not done so yet, you can use the "Subscribe" button in the upper right corner to automatically receive notifications about any service interruptions, and the system will keep you updated on all changes.