Solved: Re: CISCO SMA: Certificate Installation

a.zahid · ‎08-02-2019

Hi,

We need to install cert for cisco SMA as shown below.

I’ve read at https://www.cisco.com/c/en/us/support/docs/security/content-security-management-appliance/118460-technote-sma-00.html on how to install the cert via CLI.

However, I have a few concern before proceeding with the task:

Will this have any impact on email traffic?
Noted that there’s an option for Inbound TLS, Outbound TLS, HTTPS, LDAPS. We are currently looking into HTTPS only, but it seems I need to install a cert for all four. Any way we can only install on HTTPS?
Can we use the wildcard cert, example, *.car.com.my?

Thank you.

dmccabej · ‎08-02-2019

Hello,

No, it should not impact any email traffic.
Yes, you can. You would need to choose the [N] option under certconfig --> setup. Then, you can choose separate certificates for each service. To utilize the current default demo certificate, simply grab the public/private keys from certconfig --> print.
Assuming the wildcard covers the proper FQDN you're using, yes.

Thanks!

-Dennis M.

View solution in original post

Mathew Huynh · ‎08-05-2019

Hey a.zahid,

I assume you're using an SMA prior to version 11.5 which is why the commands are not visible.
What you can do to obtain your certificate in the older version is using "showconfig" then extracting the certificate in PEM format to a wordpad then you can load the cert in that way.

(alternatively you can save the configuration with unmasked passwords and also extract the certificate through that means.)

Thanks,
Mathew

View solution in original post

dmccabej · ‎08-02-2019

Hello,

No, it should not impact any email traffic.
Yes, you can. You would need to choose the [N] option under certconfig --> setup. Then, you can choose separate certificates for each service. To utilize the current default demo certificate, simply grab the public/private keys from certconfig --> print.
Assuming the wildcard covers the proper FQDN you're using, yes.

Thanks!

-Dennis M.

a.zahid · ‎08-04-2019

Hi Dennis,

Thanks for your reply. For no.2, If I want to use current demo certificate for inbound tls, outbound tls and ldaps, what is the steps that I should do? I do not see option in ssh to simply grab the public/private keys from certconfig --> print. Only have certconfig --> setup, which will then request certificate for each inbound tls, outbound tls, https and ldaps.

Thanks.

Mathew Huynh · ‎08-05-2019

Hey a.zahid,

I assume you're using an SMA prior to version 11.5 which is why the commands are not visible.
What you can do to obtain your certificate in the older version is using "showconfig" then extracting the certificate in PEM format to a wordpad then you can load the cert in that way.

(alternatively you can save the configuration with unmasked passwords and also extract the certificate through that means.)

Thanks,
Mathew

a.zahid · ‎08-14-2019

Hi Mathew,

Thanks for clearing that up. It works. I managed to copy and paste back the default certificate.

Thanks for your help.

dmccabej · ‎08-15-2019

Glad we were able to help and you got everything sorted! :)