Custom Trusted Root Certificates - Duplicates with Cisco list

Auteri · ‎06-20-2023

The Custom Trusted Root Certificate list is standard filled with CAs and on top also with duplicates that also exist in the Cisco Trusted Root Certificate List.

Q1: Why is this custom (Static!) CA list filled anyway? I would expect that all trusted CAs are added and managed by Cisco in their list (Dynamic).

Q2: Can I renove all custom CA's or are some CAs crucial in todays email traffic. And if so why are they not a part of the Cisco CA list.

An example of the current custom CAs can be find here: https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217221-esa-understanding-custom-ca-list-certifi.html

Ken Stieers · ‎06-21-2023

There was a process (upgrade?) in 13.x and earlier that copied the Cisco list to the custom list for reasons that made sense.
You can remove them if they're duplicates. (I did, and it didn't cause issues.)

Auteri · ‎06-22-2023

Since the Custom Certficate Authority list is not managed by Cisco I will remove all CAs not needed. I don't want any possible compromised Certificate Authority in this list.

jtsai8585 · ‎07-06-2023

How am I suppose to remove duplicates? There is over 2200 lines and after spending 2 hours i'm only at like 5%.

Ken Stieers · ‎07-12-2023

Do you know which ones you need?

In the CLI, you can export the list, which saves it to the /configuration directory. You can then grab the file via FTP, edit it, and reupload it via the gui, or put it in the Configuration directory and import it.

The issue is that the aren't labled... so if you know which custom ones you need, like your internal CA certs, it might make sense to just build a fresh file with just the few you need, and import that, instead of deleting all of the ones you don't need.

Auteri · ‎07-12-2023

That's what I've done. Create a txt file with the CAs I need.