Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5030
Views
1
Helpful
5
Replies

CISCO SMA: Certificate Installation

Go to solution
a.zahid
Level 1
Level 1

‎08-02-2019 01:17 AM

Hi,

 

We need to install cert for cisco SMA as shown below.

I’ve read at https://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html on how to install the cert via CLI.

However, I have a few concern before proceeding with the task:

 

  1. Will this have any impact on email traffic?
  2. Noted that there’s an option for Inbound TLS, Outbound TLS, HTTPS, LDAPS. We are currently looking into HTTPS only, but it seems I need to install a cert for all four. Any way we can only install on HTTPS?
  3. Can we use the wildcard cert, example, *.car.com.my?

Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎08-02-2019 08:02 AM

Hello,

 

  1. No, it should not impact any email traffic. 
  2. Yes, you can. You would need to choose the [N] option under certconfig --> setup. Then, you can choose separate certificates for each service. To utilize the current default demo certificate, simply grab the public/private keys from certconfig --> print. 
  3. Assuming the wildcard covers the proper FQDN you're using, yes. 

 

Thanks!

-Dennis M.

View solution in original post

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-05-2019 03:38 PM

Hey a.zahid,

I assume you're using an SMA prior to version 11.5 which is why the commands are not visible.
What you can do to obtain your certificate in the older version is using "showconfig" then extracting the certificate in PEM format to a wordpad then you can load the cert in that way.

(alternatively you can save the configuration with unmasked passwords and also extract the certificate through that means.)

Thanks,
Mathew

View solution in original post

0 Helpful
5 Replies 5

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎08-02-2019 08:02 AM

Hello,

 

  1. No, it should not impact any email traffic. 
  2. Yes, you can. You would need to choose the [N] option under certconfig --> setup. Then, you can choose separate certificates for each service. To utilize the current default demo certificate, simply grab the public/private keys from certconfig --> print. 
  3. Assuming the wildcard covers the proper FQDN you're using, yes. 

 

Thanks!

-Dennis M.

Go to solution
a.zahid
Level 1
Level 1
In response to dmccabej

‎08-04-2019 11:40 PM

Hi Dennis,

 

Thanks for your reply. For no.2, If I want to use current demo certificate for inbound tls, outbound tls and ldaps, what is the steps that I should do? I do not see option in ssh to simply grab the public/private keys from certconfig --> print. Only have certconfig --> setup, which will then request certificate for each inbound tls, outbound tls, https and ldaps.

 

Thanks.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-05-2019 03:38 PM

Hey a.zahid,

I assume you're using an SMA prior to version 11.5 which is why the commands are not visible.
What you can do to obtain your certificate in the older version is using "showconfig" then extracting the certificate in PEM format to a wordpad then you can load the cert in that way.

(alternatively you can save the configuration with unmasked passwords and also extract the certificate through that means.)

Thanks,
Mathew
0 Helpful

Go to solution
a.zahid
Level 1
Level 1
In response to Mathew Huynh

‎08-14-2019 08:38 PM

Hi Mathew,

 

Thanks for clearing that up. It works. I managed to copy and paste back the default certificate.

 

Thanks for your help.

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to a.zahid

‎08-15-2019 07:56 AM

Glad we were able to help and you got everything sorted! :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents