Solved: Re: Cisco ESA add TLS Outbound unknown CA certificate

Jess_A · ‎04-24-2019

Hi,

We're enforcing TLS on the outbound with an external party (let's call it: external.com). The certificate they (external.com) use to do the TLS is signed by their own sub-CA, and neither it, neither the Root CA are recognized by default on ESA.

So, if we configure to do TLS VERIFIED, it fails.

The question is, is it possible to import their (external.com) sub-CA and Root CA certificates so, our ESA can VERIFY the TLS connection with this external party?

Thanks a lot for your help!

Best Regards,

Jesús.

Ken Stieers · ‎04-24-2019

Yes. In the Gui, under Network/Certificates, the section "Certificate Authorities" has an Edit Settings button.
Enable the custom list, and upload the certs there... you have to convert them to PEM format, and you can just concatenate the files into one file...

>From the online help:

Importing a Custom Certificate Authority List
You can create a custom of list trusted certificate authorities and import it onto the appliance. The file must be in the PEM format and include certificates for the certificate authorities that you want the appliance to trust.
Procedure
________________________________________
Step 1
Navigate to the Network > Certificates page.
Step 2
Click Edit Settings in the Certificate Authorities section.
Step 3
Click Enable for the Custom List.
Step 4
Enter the full path to the custom list on a local or network machine.
Step 5
Submit and commit your changes.

View solution in original post

Ken Stieers · ‎04-24-2019

Yes. In the Gui, under Network/Certificates, the section "Certificate Authorities" has an Edit Settings button.
Enable the custom list, and upload the certs there... you have to convert them to PEM format, and you can just concatenate the files into one file...

>From the online help:

Importing a Custom Certificate Authority List
You can create a custom of list trusted certificate authorities and import it onto the appliance. The file must be in the PEM format and include certificates for the certificate authorities that you want the appliance to trust.
Procedure
________________________________________
Step 1
Navigate to the Network > Certificates page.
Step 2
Click Edit Settings in the Certificate Authorities section.
Step 3
Click Enable for the Custom List.
Step 4
Enter the full path to the custom list on a local or network machine.
Step 5
Submit and commit your changes.

Jess_A · ‎04-24-2019

Thanks for the answer. That really helped out.

In addition to that, some extra info that could help about custom and default CA lists:
https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_chapter_011000.html

Jess_A · ‎04-24-2019

If I understood it well, this custom list, each time we add a new certificate of a external party root/sub CA we need to import the full list, right? It means, export the custom list include the new ones and then import. Am I right? Thanks!!

Ken Stieers · ‎04-24-2019

Yes.

Your other option, if the other side is using it, is to enable DANE.

DANE is an enhancement to the TLS verification process where they publish their cert via DNS, and you verify against what they publish.

They also have to be using DNSSEC... so that may be a big hill to climb for them.

In 12.x its under Mail Policies/ Destination Controls, just below where you set TLS to verify. Set it to Opportunistic, and then send them some mail.

If they have it, it should show up in the tracking logs and in the report under Monitor/TLS Connections

Jess_A · ‎04-25-2019

Thanks for your response.

Jess_A · ‎04-24-2019

If I understood it well, this custom list, each time anyone wants to add a new certificate of a external party root/sub CA it is needed to import the full list, right? It means: export the custom existent list, add the new ones to that list, and then import this list. Am I right? Thanks!!