Solved: Re: Cisco ESA SAN Certificate

fabc1 · ‎02-03-2021

Hi guys, I have a few questions on Cisco ESA regarding SAN certificate.

On our client's environment, they have 2 appliances using multiple domains in cluster mode, so they would like to determine the appliance certificates for incoming and outgoing. They asked if they need to purchase SAN certificates with what certificates name?

If i referred to https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_chapter_011000.html yes they required to get SAN cert for their appliance, but what certificates name?

Appreciate your help. Thanks!

Ken Stieers · ‎02-03-2021

Oh. and as far as multiple domains goes....

Let's say you run mail for "companyA.com", 'businessB.com"

and the IT systems live in "companyA.com"

The SAN cert only has to match the A records and the name on the interface for where the ESA runs.

in DNS, for BusinessB.com, you just need an MX record

businessb.com MX mail1.companyA.com 10

businessb.com MX mail2.companyA.com 10

And then in DNS for CompanyA.com

mail1.companyA.com A 10.10.10.15

mail2.companyA.com A 10.10.10.16

companyA.com MX mail1.companyA.com 10

companyA.com MX mail2.companyA.com 10

View solution in original post

Ken Stieers · ‎02-03-2021

The names on the SAN cert need to match the DNS A record that points at the external ip. Also that interface on the ESA should be configured with that name as well...

fabc1 · ‎02-03-2021

Thanks for making this clearer! I am still unfamiliar with ESA environment. Do SAN certificates have different types?

Ken Stieers · ‎02-03-2021

No.

SAN certs are also called “Unified Communications” or UC certs. Instead of one “name” they can have many names…

For example

smtp1.company.com

smtp2.company.com

www.company.com

mail.company.com

etc....

Beyond that they’re not really any different than a typical single name certificate.

fabc1 · ‎02-03-2021

for incoming ESA appliance 1

Name:

Data 1

Data 2

IP Address:

10.0.191.xx/24

10.0.192.xx/24

Hostname:

mail4.example.com.my

mail1.example.com.my

Interface:

facing internet

-

For outgoing ESA appliance 2

Name:

Data 1

Data 2

IP Address:

10.0.191.yy/24

10.0.192.yy/24

Hostname:

mail2.example.com.my

mail3.example.com.my

Interface:

facing internet

-

Based on the environment above, with multiple domains, do we need to allow all interfaces to use SAN cert?

Ken Stieers · ‎02-03-2021

So, in your example, its not clear to me which interfaces are public... but since you're only talking about 4, I would get a cert with all 4 names on it, and use it for both "public" and "private" interfaces, just to make your life simple...

The last time I bought a SAN cert, the base cert gave you 5 names... and the prices went up as you added more....

fabc1 · ‎02-04-2021

Their environment is a bit different on the setup. There's 2 appliances, they use separately one for incoming email and one for outgoing email. hostname mail4.example.com.my in Incoming email Appliance is facing the internet, and for Outgoing Email Appliance they use mail2.example.com.my facing the internet. also, and they have 10 domains.

They are planning to purchase CSR generation from CA but in order to get to that part, they need to generate self-signed cert.

They would like to generate self-signed cert in ESA but don't know what to put in Common Name field since they have 2 appliances, 10 domains, different setup on the appliances.

Ken Stieers · ‎02-05-2021

Today they are set up with one esa inbound, one outbound...

Later, when one of those boxes dies because of a hardware issue, they'll want in and out on the other box... so plan for that.

No matter how many domains, you only need the certificate to be valid for the names that are A records/interface names.

The cert generation on the ESA won't do SAN certs. Just do Mail1...

Then when you generate the CSR, upload it to the CA, you'll add the other names as part of buying the cert.

Ken Stieers · ‎02-03-2021