KEMBAR78
ESA Wildcard CA Usage Template | PDF | Public Key Certificate | Transport Layer Security
0% found this document useful (0 votes)
304 views3 pages

ESA Wildcard CA Usage Template

The document provides instructions for uploading a DigiCert wildcard certificate authority to Cisco Email Security Appliances (ESAs) and Security Management Appliances (SMAs) in the CBE environment. It describes: 1. Creating a certificate signing request on the ESA, sending it to DigiCert for signing, and installing the signed certificate. 2. Extracting the certificate and private key from the ESA configuration file and importing them into the SMA through the command line. 3. Steps to configure TLS/SSL services on the ESA and verify the inbound connection matches the MX record, common name, and interface hostname.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
304 views3 pages

ESA Wildcard CA Usage Template

The document provides instructions for uploading a DigiCert wildcard certificate authority to Cisco Email Security Appliances (ESAs) and Security Management Appliances (SMAs) in the CBE environment. It describes: 1. Creating a certificate signing request on the ESA, sending it to DigiCert for signing, and installing the signed certificate. 2. Extracting the certificate and private key from the ESA configuration file and importing them into the SMA through the command line. 3. Steps to configure TLS/SSL services on the ESA and verify the inbound connection matches the MX record, common name, and interface hostname.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Use this guideline in CBE

Uploading DigiCert wildcard CA to Cisco ESA in CBE

Functional Overview
Network/Security administrators in CBE might desire to use a wildcard certificate on the ESA
appliance for any of the following reasons:
o In order to encrypt the SMTP conversations with other MTAs that use TLS (both inbound and
outbound conversations).
o In order to enable the HTTPS service on the appliance for access to the GUI via HTTPS.
o For use as a client certificate for Lightweight Directory Access Protocols (LDAPs), if the LDAP server
requires a client certificate.
o In order to allow secure communication between the appliance and the Rivest-Shamir-Addleman
(RSA) Enterprise Manager for Data Loss Protection (DLP).
o In order to allow secure communication between the appliance and a Cisco Advanced Malware
Protection (AMP) Threat Grid Appliance.
o Finally, wildcard CA is better than self-signed CA because of its verifiability
Requirements and Steps
The following process will help with SSL certificate installation/update on Cisco IronPort Email
Security Appliance (ESA).
Components
i. Cisco IronPort Email Security Appliance (ESA): Current Version used in CBE
ii. Cisco IronPort Security Management Appliance (SMA): Current Version used in CBE

1. ESA

In most cases wildcard certificate is used for TLS/SSL services on ESA. Certificate file needs to be in a
PKCS#12 format, be secured with password and contain the certificate and private key. If you do not have
certificate and private key to import you will need to create the Certificate Signing Request (CSR):

Creating Certificate signing Request (CSR):


o Go to Network -> Certificates -> Add Certificate
o Create a self-signed certificate
o Submit
o Commit the changes
o Click on the newly created certificate profile
o Click the “Download certificate signing request” link
o Send the CSR that was downloaded to your Certificate Authority for signing

Note: CBE has already received a Privacy Enhanced Email (PEM) signed certificate from
DigiCert.
Use this guideline in CBE

Installing the signed CA


o Go to Network -> Certificates
o Click on the name of your certificate
o Click on the “Browse” button
o Select the signed certificate
o Upload Intermediate certificate (optional)
o Submit this page
o Commit the changes.

Once you have installed the signed certificate, you must reconfigure the TLS/SSL services on the
appliance to use it. The following instructions will cover all necessary configuration steps:

For Inbound TLS:


o Go to Network > Listeners
o Click on the name of your listener
o Select the certificate in the “Certificate” drop down
o Submit this page
o Repeat above steps for any other listeners
o Commit the changes
For Outbound TLS:
o Go to Mail Policies > Destination Controls > Edit Global Settings
o Select the certificate in the “Certificate” drop down
o Submit this page
o Commit the changes
For LDAPS:
o Go to System Administration > LDAP > Edit Settings
o Select the certificate in the “Certificate” drop down
o Submit this page
o Commit the changes
For HTTPS:
o Go to Network > IP Interfaces
o Click on the name of your IP Interface
o Select the certificate in the “HTTPS Certificate” drop down
o Submit this page
o Repeat above steps for any other applicable interfaces
o Commit the changes
Use this guideline in CBE

2. SMA

SSL certificate installation/update on Security Management Appliance (SMA) is a bit trickier.


There is no way to generate a certificate on SMA, but it can be imported through the command
line. In order to do that first, we need to extract certificate and private key information out of ESA
config generated above (the same information can be exported from PKCS#12 formatted file with
OpenSSL or many other methods).

o Download a copy of the configuration file from ESA appliance where the certificate was
generated. Make sure not to mask passwords as it will hide private key information
o Open the configuration file in a text-based editor (Notepad++)
o Copy certificate and private key. Private key will begin with —–BEGIN RSA PRIVATE KEY—– and
end with —–END RSA PRIVATE KEY—– and certificate will begin with —–BEGIN CERTIFICATE—–
and will end with —–END CERTIFICATE—–.

Importing certificate and private key into SMA:


o Log into the command line and issue the “certconfig” command.
o Issue the “setup” command.
o Select if you wish to use one certificate for all services. It is recommended to select “y” here.
o Copy the host certificate and paste it into the command line interface. Include —–BEGIN
CERTIFICATE—–. End the paste with a single period (.) on a line by itself.
o Copy the private key and paste it into the command line interface. Include —–BEGIN RSA PRIVATE
KEY—–. End the paste with a single period (.) on a line by itself.
o Select “y” if you would like to add any intermediate certificates.
o Copy the intermediate certificate(s) one at a time and paste them into the command line
interface. End the paste with a single period (.) on a line by itself.
o Repeat the above two steps for any additional intermediate certificates needed.
o Select “n” to let the appliance know that you have added all of the certificates.
o Press the Enter key until you exit out of configuration menu.
o Commit the changes.

SMA is now configured with a certificate.

Verification
For a verifiable inbound connection, validate that these three items match:
o MX record (Domain Name System (DNS) hostname)
o Common Name
o Interface hostname

You might also like