02-03-2021 05:18 AM
Hi guys, I have a few questions on Cisco ESA regarding SAN certificate.
On our client's environment, they have 2 appliances using multiple domains in cluster mode, so they would like to determine the appliance certificates for incoming and outgoing. They asked if they need to purchase SAN certificates with what certificates name?
If i referred to https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_11_1_chapter_011000.html yes they required to get SAN cert for their appliance, but what certificates name?
Appreciate your help. Thanks!
Solved! Go to Solution.
02-03-2021 07:33 PM
Oh. and as far as multiple domains goes....
Let's say you run mail for "companyA.com", 'businessB.com"
and the IT systems live in "companyA.com"
The SAN cert only has to match the A records and the name on the interface for where the ESA runs.
in DNS, for BusinessB.com, you just need an MX record
businessb.com MX mail1.companyA.com 10
businessb.com MX mail2.companyA.com 10
And then in DNS for CompanyA.com
mail1.companyA.com A 10.10.10.15
mail2.companyA.com A 10.10.10.16
companyA.com MX mail1.companyA.com 10
companyA.com MX mail2.companyA.com 10
02-03-2021 05:40 AM
02-03-2021 05:41 PM
Thanks for making this clearer! I am still unfamiliar with ESA environment. Do SAN certificates have different types?
02-03-2021 07:22 PM
No.
SAN certs are also called “Unified Communications” or UC certs. Instead of one “name” they can have many names…
For example
smtp1.company.com
smtp2.company.com
mail.company.com
etc....
Beyond that they’re not really any different than a typical single name certificate.
02-03-2021 07:07 PM
for incoming ESA appliance 1
Name:
Data 1
Data 2
IP Address:
10.0.191.xx/24
10.0.192.xx/24
Hostname:
mail4.example.com.my
mail1.example.com.my
Interface:
facing internet
-
For outgoing ESA appliance 2
Name:
Data 1
Data 2
IP Address:
10.0.191.yy/24
10.0.192.yy/24
Hostname:
mail2.example.com.my
mail3.example.com.my
Interface:
facing internet
-
Based on the environment above, with multiple domains, do we need to allow all interfaces to use SAN cert?
02-03-2021 07:26 PM
So, in your example, its not clear to me which interfaces are public... but since you're only talking about 4, I would get a cert with all 4 names on it, and use it for both "public" and "private" interfaces, just to make your life simple...
The last time I bought a SAN cert, the base cert gave you 5 names... and the prices went up as you added more....
02-04-2021 11:57 PM
Their environment is a bit different on the setup. There's 2 appliances, they use separately one for incoming email and one for outgoing email. hostname mail4.example.com.my in Incoming email Appliance is facing the internet, and for Outgoing Email Appliance they use mail2.example.com.my facing the internet. also, and they have 10 domains.
They are planning to purchase CSR generation from CA but in order to get to that part, they need to generate self-signed cert.
They would like to generate self-signed cert in ESA but don't know what to put in Common Name field since they have 2 appliances, 10 domains, different setup on the appliances.
02-05-2021 07:06 AM
02-03-2021 07:33 PM
Oh. and as far as multiple domains goes....
Let's say you run mail for "companyA.com", 'businessB.com"
and the IT systems live in "companyA.com"
The SAN cert only has to match the A records and the name on the interface for where the ESA runs.
in DNS, for BusinessB.com, you just need an MX record
businessb.com MX mail1.companyA.com 10
businessb.com MX mail2.companyA.com 10
And then in DNS for CompanyA.com
mail1.companyA.com A 10.10.10.15
mail2.companyA.com A 10.10.10.16
companyA.com MX mail1.companyA.com 10
companyA.com MX mail2.companyA.com 10
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide