06-20-2023 04:12 AM
The Custom Trusted Root Certificate list is standard filled with CAs and on top also with duplicates that also exist in the Cisco Trusted Root Certificate List.
Q1: Why is this custom (Static!) CA list filled anyway? I would expect that all trusted CAs are added and managed by Cisco in their list (Dynamic).
Q2: Can I renove all custom CA's or are some CAs crucial in todays email traffic. And if so why are they not a part of the Cisco CA list.
An example of the current custom CAs can be find here: https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217221-esa-understanding-custom-ca-list-certifi.html
06-21-2023 05:44 PM
06-22-2023 05:54 AM
Since the Custom Certficate Authority list is not managed by Cisco I will remove all CAs not needed. I don't want any possible compromised Certificate Authority in this list.
07-06-2023 08:08 AM
How am I suppose to remove duplicates? There is over 2200 lines and after spending 2 hours i'm only at like 5%.
07-12-2023 04:33 PM
Do you know which ones you need?
In the CLI, you can export the list, which saves it to the /configuration directory. You can then grab the file via FTP, edit it, and reupload it via the gui, or put it in the Configuration directory and import it.
The issue is that the aren't labled... so if you know which custom ones you need, like your internal CA certs, it might make sense to just build a fresh file with just the few you need, and import that, instead of deleting all of the ones you don't need.
07-12-2023 10:48 PM
That's what I've done. Create a txt file with the CAs I need.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide