cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1972
Views
2
Helpful
6
Replies

Cisco ESA Certificate aka default_cert expired, cannot delete or renew

M. Miller
Beginner
Beginner

Dear all,

after upgrading our ESA to v14.2.2 a Cisco ESA Certificat aka default_cert was created and now has expired, and never was used. Due to its expiration, it's throwing email notifications regularly, which is annoying and leads to justification to our manager.

 

We'd like to delete it, but at post 4682087 (https://community.cisco.com/t5/email-security/delete-default-esa-certificate/td-p/4682087) "By design, ESA doesn't allow to delete the default cert and what you are currently seeing is an expected behaviour. You need to bear with it" which I can confirm. Sad but true via GUI as well as SSH this seems to be impossible (at least I wasn't able to do so)

 

(How) is it possible to renew it, (or otherwise) to avoid the mail notifications to regularly come back?

 

Thanks in advance,

Mario

 

 

1 Accepted Solution

Accepted Solutions

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

I'd advise opening a Cisco TAC case. We can assist with renewing the demo certificate if it's expired and/or provide you with additional guidance on the alerts. 

 

Thanks!

-Dennis M.

View solution in original post

6 Replies 6

dmccabej
Cisco Employee
Cisco Employee

Hello,

 

I'd advise opening a Cisco TAC case. We can assist with renewing the demo certificate if it's expired and/or provide you with additional guidance on the alerts. 

 

Thanks!

-Dennis M.

Hey Dennis,
Might be time for an enh request: either allow us to delete it, allow us to renew it, or actually update it when we take an update.
Ken

Thank you for the feedback, Ken. 

I know we renewed the demo certificate during upgrades in the past, but I do not believe that is the case any longer. Ideally, the demo cert is used during initial setup, and then customers move away from it and use either their own self-signed certificate or move to a third-party signed certificate. 

I agree that it would make sense to be able to make some form of modifications and will look into filing some enhancements on this topic. 

 

Thanks!
-Dennis M.

The the thing that causes the most "what the heck?" questions around this is that if an interface has no "secured" services enabled, the default one gets assigned and then you get notifications in logs, gui, etc about it.

And if you enable a service, apply a cert, then turn off the service, it reverts to the default cert.

Thank you Ken, I totally agree with you, beeing able to do these things by ourself. This takes me (wasting) some valuable time to open a TAC case now, for an unused certificate to renew (or delete) to avoid annoying recurring mail notifications ....

Also I agree with your second post about "if an interface has no "secured" services enabled ... the default certificate gets assigend" and " if you enable a service, apply a cert, then turn off the service, it reverts to the default cert." - which lead me to keep an unnecessary service running on any interface which we "could" avoid (especially for security reasons") ...

 

Thank you Dennis for your fast reply,

then I'll go opening  Cisco TAC case, though I'm not happy with not being able to to that by myself ...

Kind regards,

M.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: