Custom Trusted Root Certificates - Duplicates with Cisco list
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2023 04:12 AM
The Custom Trusted Root Certificate list is standard filled with CAs and on top also with duplicates that also exist in the Cisco Trusted Root Certificate List.
Q1: Why is this custom (Static!) CA list filled anyway? I would expect that all trusted CAs are added and managed by Cisco in their list (Dynamic).
Q2: Can I renove all custom CA's or are some CAs crucial in todays email traffic. And if so why are they not a part of the Cisco CA list.
An example of the current custom CAs can be find here: https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217221-esa-understanding-custom-ca-list-certifi.html
- Labels:
-
Email Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2023 05:44 PM
You can remove them if they're duplicates. (I did, and it didn't cause issues.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-22-2023 05:54 AM
Since the Custom Certficate Authority list is not managed by Cisco I will remove all CAs not needed. I don't want any possible compromised Certificate Authority in this list.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-06-2023 08:08 AM
How am I suppose to remove duplicates? There is over 2200 lines and after spending 2 hours i'm only at like 5%.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2023 04:33 PM
Do you know which ones you need?
In the CLI, you can export the list, which saves it to the /configuration directory. You can then grab the file via FTP, edit it, and reupload it via the gui, or put it in the Configuration directory and import it.
The issue is that the aren't labled... so if you know which custom ones you need, like your internal CA certs, it might make sense to just build a fresh file with just the few you need, and import that, instead of deleting all of the ones you don't need.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-12-2023 10:48 PM
That's what I've done. Create a txt file with the CAs I need.
