cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5690
Views
25
Helpful
10
Replies

Certificate in clustered environment

maraz
Level 1
Level 1

Hello,

From Cisco userguide 9.7: A certificate usually uses the local machine’s hostname for the certificate’s common name. If your Email
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.

So based on text, if I would like to do TLS encryption "preferred" on my boxes that are in cluster mode.

1) I assume, I must request two certicates, one for each machine?

2) The CN, should it be the hostname or the external MX-record-name?

3) Based on the last sentence: Is it the filename of the certificate that has to be the same for the boxes?

Best Regards

Robert 

10 Replies 10

dmccabej
Cisco Employee
Cisco Employee

Hello Robert, 

You can certainly create/sign a CN certificate at the machine-level on each ESA, but it takes a few more steps to install and it's a bit trickier to manage. You would need to name them the same (just the friendly profile name, not the CN field) on each since when you apply a certificate to a service you can only select one. That way, when each ESA goes to select the certificate they would be choosing the one specific to their box. 

Ideally what you'll want to do is create a certificate request at the cluster level using one of the CN names, and then when you request signing from the CA you'll ask them to add in the SAN information for both ESA hosts. Then when you go to import that signed certificate back onto the ESA it would have the information for both ESA hosts.

The CN should be matching the MX record, which ideally should be matching your IP interface hostnames.

You can also view our TLS guide here that provides further detailed info on certificate/TLS setup : Comprehensive TLS Setup Guide On The ESA

Let me know if you need any clarification.

Thanks!

-Dennis M.

Hello,

Could you please clarify. I do not think the guide is so specific to clarify how to make it work.

1) If the CSR is made at cluster level, what would be the CN? It should match one of the boxes MX-record? Does not matter which one?

2) If I understand correct, you just request one certificate and it is installed on both the ESA-boxes?

Best Regards

Hi Robert,

1. You create:

a) one certificate with CN that matches one of the boxes MX record (doesn't matter which one). But you need to add alternate subject name (SAN) for MX record of the second box in the same CSR.

b) use wildcard certificate where CN would match both MX records

c) two separate CSRs/certificates for each box separately

2.

a) you use one certificate for both appliances

b) you use one certificate for both appliances

c) you create two CSRs and install two different certificates - one on each appliance

Hello Dennis, how it is possible to upload machine specific certificates in a clustered environment - like this?

 

1. Remove one machine from the cluster

2. Upload the specific certifcate on each machine

3. Give them the same friendly name

4. Connect the machine back to the cluster

5. Edit listener to the new "friendly name"-named certificate?

 

The guide says: Note: Certificates can be applied at the machine level as well; however, if the machine is ever removed from the cluster and then added back, the machine-level certificates will be lost.

Thanks.

No need to remove the cluster (it is possible too but you may need to generate two CSRs then)

 

I've created a CSR on an email exchange server (with ESA MX host names as SANs). Once I received the signed certificate, applied it on exchange server and extracted the private key. Converted it to PEM and imported it to ESA cluster. (may need openssl)

 

openssl pkcs12 -in tls.pfx -out certificate.pem -nodes

Hello,

 

Very close, except you can exclude step 1 and step 4 as you don't need to remove/disconnect the machines from the cluster. All need to do would be to set the machine-level settings up to override the cluster-level settings, which can be done the following way in the GUI.

 

  1. Proceed to Network --> Certificates --> Change Mode --> Machine
  2. Select Override Settings --> Start with default settings or choose to copy from cluster --> Submit --> Commit

The above will need to be done for each separate ESA within the cluster so that ultimately you end up with a machine-level configuration for all of them. 

 

Then, when you're ready to upload the certificate, you would simply just repeat step 1 above to switch back to machine-level and work on that particular ESA.

 

 

Thanks!

-Dennis M.

 

 

Hello Dennis,

 

Is this still valid? As it's never marked as solved.

 

Ideally what you'll want to do is create a certificate request at the cluster level using one of the CN names, and then when you request signing from the CA you'll ask them to add in the SAN information for both ESA hosts. Then when you go to import that signed certificate back onto the ESA it would have the information for both ESA hosts.

 

Also, the CSR issued from ESA for one of the CN names does not contain the second ESA node as Subject Alternative Name. Shouldn't be included on the CSR as well?

 

Thank you in advance

Hello,

 

Still valid, yes. Any additional SANs you can request from the CA when submitting the CSR to them. Then when you receive the signed certificate back from the CA you should see those SAN attributes listed within the certificate details.

 

Thanks!

-Dennis M.

Libin Varghese
Cisco Employee
Cisco Employee

Hi Robert,

For appliances in a cluster you can configure different certificates on each machine but give the certificate profile the same name. For example, if your appliances have different hostnames/MX records then you can create machine level certificate profiles and then refer to this one name at cluster level when you enable TLS. For example:

Machine Level:
mx1.example.com, in machine mode for mx1, import/generate a CSR a certificate with CN=mx1.example.com into a profile called “example.com”
mx2.example.com, in machine mode for mx2, import/generate a CSR a certificate with CN=mx2.example.com into a profile called “example.com"

Cluster Level:
Network > Listeners > click the name of a listener > choose the certificate profile “example.com"

To configure the certificates at the cluster level for mail flow I have included these instructions below:

For Inbound TLS:
* Go to Network > Listeners
* Click the name of a listener
* Choose the certificate name configure above
* Submit this page
* Repeat for any other applicable listeners

For Outbound TLS

* Go to Mail Policies > Destination Controls
* Click on Edit Global Settings
* Choose the certificate name configure above
* Submit this page

I have included the following article linked below for reference and further details regarding configuring TLS on the ESA.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

This method is preferred by some organizations over wildcard certificates at cluster level as they tend to be more expensive.

Regards

Libin

So, do we need to send both CSR to a 3rd party CA to get it certified? or sending a one of the CSRs and adding both MX records as SANS when requesting CA to certify it?