Solved: Cisco ESA Certificate aka default_cert expired, cannot delete or renew

M. Miller · ‎03-14-2023

Dear all,

after upgrading our ESA to v14.2.2 a Cisco ESA Certificat aka default_cert was created and now has expired, and never was used. Due to its expiration, it's throwing email notifications regularly, which is annoying and leads to justification to our manager.

We'd like to delete it, but at post 4682087 (https://community.cisco.com/t5/email-security/delete-default-esa-certificate/td-p/4682087) "By design, ESA doesn't allow to delete the default cert and what you are currently seeing is an expected behaviour. You need to bear with it" which I can confirm. Sad but true via GUI as well as SSH this seems to be impossible (at least I wasn't able to do so)

(How) is it possible to renew it, (or otherwise) to avoid the mail notifications to regularly come back?

Thanks in advance,

Mario

dmccabej · ‎03-14-2023

Hello,

I'd advise opening a Cisco TAC case. We can assist with renewing the demo certificate if it's expired and/or provide you with additional guidance on the alerts.

Thanks!

-Dennis M.

View solution in original post

dmccabej · ‎03-14-2023

Hello,

I'd advise opening a Cisco TAC case. We can assist with renewing the demo certificate if it's expired and/or provide you with additional guidance on the alerts.

Thanks!

-Dennis M.

Ken Stieers · ‎03-14-2023

Hey Dennis,
Might be time for an enh request: either allow us to delete it, allow us to renew it, or actually update it when we take an update.
Ken

dmccabej · ‎03-19-2023

Thank you for the feedback, Ken.

I know we renewed the demo certificate during upgrades in the past, but I do not believe that is the case any longer. Ideally, the demo cert is used during initial setup, and then customers move away from it and use either their own self-signed certificate or move to a third-party signed certificate.

I agree that it would make sense to be able to make some form of modifications and will look into filing some enhancements on this topic.

Thanks!
-Dennis M.

Ken Stieers · ‎03-19-2023

The the thing that causes the most "what the heck?" questions around this is that if an interface has no "secured" services enabled, the default one gets assigned and then you get notifications in logs, gui, etc about it.

And if you enable a service, apply a cert, then turn off the service, it reverts to the default cert.

M. Miller · ‎03-20-2023

Thank you Ken, I totally agree with you, beeing able to do these things by ourself. This takes me (wasting) some valuable time to open a TAC case now, for an unused certificate to renew (or delete) to avoid annoying recurring mail notifications ....

Also I agree with your second post about "if an interface has no "secured" services enabled ... the default certificate gets assigend" and " if you enable a service, apply a cert, then turn off the service, it reverts to the default cert." - which lead me to keep an unnecessary service running on any interface which we "could" avoid (especially for security reasons") ...

M. Miller · ‎03-20-2023

Thank you Dennis for your fast reply,

then I'll go opening Cisco TAC case, though I'm not happy with not being able to to that by myself ...

Kind regards,

M.