Re: Certificates for Ironport

klose · ‎07-26-2010

My certs for the SSL management page expired. I used my internal/private Microsoft CA to generate my own intranet certs and used them a few years ago.

The process was PAINFULL and seems to still be the case on the AsyncOS 7.x

Handling PEM files is the problem. I've read all the articles from the Ironport KB about converting the files before the ironport web site moved.

Is there a clean easy way to request a certificate on the Ironport, submit to a internal/private Microsoft CA, and load the cert onto the Ironport?

Anyone have these steps in a easy to follow doc?

Daithi1972 · ‎07-27-2010

We just did our digi-sign SSL certs last week, and a little painful.

We downloaded the OpenSSL kit and followed instructions here to generate the csr http://www.digi-sign.com/en/support/digi-ssl/ironport

and the installed using instructions here http://www.digi-sign.com/en/support/digi-ssl/install-certificate/ironport

I don't think this is quite what you need, but hope it helps.

Dave.

Jason Meyer · ‎07-27-2010

I also recently updated the certificates on our C660s and am new to certificate management in general. It was a little bit painful as the documentation is so fragmented. I know there are probably 20 ways to accomplish this but rather than try to document all of them, just come up with one good way to do this and document it well. I did use the OpenSSL utility on a WinXP box and followed your instructions and was able to get the job done fairly easily.

But as your customers we will always want more, which is what you want.

Long live the IronPort Nation,

Jason Meyer

kyerramr · ‎07-27-2010

Hi,

The new version of AsyncOS 7.1.1-012 has lot of enhancements for certificates (generate CSR, Self-signed certs, Install signed certs via Web UI). Please take a look at the AsyncOS 7.1.1-012 release notes and User guide for additional information.

Hope this helps, if you have any feedback about this feature, please let us know.

Best,

Kishore

klose · ‎07-28-2010

I did look at the new cert capabilities in the new AsyncOS. It's just a graphics wrapper around the same problem.

If your not a linux shop, the PEM files are a pain in the @$@&$.

Self signed are ok for security, but do not provide synergy when your logging onto the web interface with a internal FQDN. You will get a cert warning everytime.

Most certificate servers provide p7b, cer, pfx but NOT PEM.

End users should not have to build a Open SSL box just to convert the certs, in both directions.

If I recall, I think I used my VMWARE linux box to do some of these steps....but this not acceptable and needs to improve.

Daithi1972 · ‎07-28-2010

I wasn't too impressed with the enhancements to be honest. A lot more could be done here.

Christopher Smith · ‎07-28-2010

Hi David,

Some of the enhancements that were mentioned were based upon feedback from customers. We are very open to any comments or suggestions for improvements to our product. If there are specific recommendations for enhancements or new features we encourage our customers to contact customer support so that we may open a feature request. Once the feature request is opened the information is passed on to the product development team who will then review the request and consider it for inclusion in a future release. This process is quite painless and only takes a few minutes. We would be happy to hear from you.

Christopher C Smith

CSE

Cisco IronPort Customer Support