Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1792
Views
0
Helpful
2
Replies

Applying new certificates for TLS from DigiCert/Symantec

Tony Kilbarger
Level 1
Level 1

‎01-03-2018 02:43 PM - edited ‎03-08-2019 07:30 PM

I have 4 ESA's that each have their own certificate for doing TLS.  We last renewed our certificates through Symantec and they gave us the new signed certs as well as an intermediate cert we added as well in the GUI looked like:

 

Issued To
Common Name (CN): Symantec Class 3 Secure Server CA - G4
Organization (O): Symantec Corporation
Organizational Unit (OU): Symantec Trust Network
Serial Number: 513FB9743870B73440418D30930699FF
Issued By
Common Name (CN): VeriSign Class 3 Public Primary Certification Authority - G5
Organization (O): VeriSign, Inc.
Organizational Unit (OU): (c) 2006 VeriSign, Inc. - For authorized use only
Issued On: Oct 31 00:00:00 2013 GMT
Expires On: Oct 30 23:59:59 2023 GMT

 

Now Digicert has taken Symantec's cert business.  They sent us our new individual cert's as well as the following certificates:

DigiCert Global G2.cer
DigiCert Global Root CA.cer
DigiCert Global Root G3.cer
DigiCertGlobalCAG2.cer
DigiCertGlobalCAG3.cer

DigiCertECCSecureServerCA.cer

DigiCertSHA2SecureServerCA.cer

 

Do I need to do anything with these?  I'll admit I am not real strong on the crypto stuff.

 

 

Labels:
0 Helpful
2 Replies 2

Libin Varghese
Cisco Employee
Cisco Employee

‎01-03-2018 10:29 PM

Hi,

 

Depending on which certificates you would like to use (Symantec or Digicert) you would need to install the correctly chained certificates under Network -> Certificates and then apply them on the ESA.

 

  • Network > Listeners >  Then name of the listener > Certificate
  • Mail Polices > Destination Controls > Edit Global Settings > Certificate
  • Network > IP Interface > Choose interface associated with GUI access > HTTPS Certificate
  • System Administration > LDAP > Edit Settings > Certificate

Regards,

Libin Varghese

0 Helpful

garndt001
Level 1
Level 1

‎01-10-2018 11:40 AM

Hi Tony, the Digicert root certs should already be in place on your ESAs.   In addition to your renewed cert, you should only need to add the intermediate cert, which is the last one on your list, DigiCertSHA2SecureServerCA.cer.

 

Once installed, you can verify if they are correct using checktls.com.

 

Hope this helps.

Jerry

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents