cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

232
Views
10
Helpful
4
Replies
spacemeb
Beginner

Default certificate is going to expire

Hello,

 

We have 3 certificates on ESA along with the default.

 

We noticed that soon it's going to expire.

 

From certconfig, there is no option to update the default certificate.

 

What should we do?

 

Thanks,

MEB

4 REPLIES 4
Ken Stieers
Advocate

IIRC the default will auto rotate itself.
But if you're not using it (and current versions throw a message on cert relate pages about the fact that you are using it), it won't matter...

spacemeb
Beginner

You may be right, it may auto-renew itself.

However, as best practise, i read that if you use somewhere the demonstrate certificate (usually it says where is used once you go to network > certificafes) you should use self-signed cert instead of it, if your public ones are not related with the hostname that you have specify for each course of action. 

 

Regularly, you can see where the certificate is used on interfaces, listeners, destination controls etc.

 

So, we will use a self-signed to be on the safe side, but will also let the demo to see what will happen. 

 

Hope it helps the next guy/gal who will have the same issue.

Meb

 

Hello,

 

The demo certificate is a dummy self-signed certificate and is not really intended to be used outside of initial deployment. You can create your own self-signed certificate to use in place of the demo. Of course, the ideal scenario would be to get your certificate signed by a trusted third party so that it can be verified. There's no reason not to have a trusted and signed certificate nowadays as they're quite cheap and easy to obtain.

 

As far as demo renewal, it has been done for specific versions in the past, and if expired, then during an upgrade; however, from what I've heard, that is no longer the case, and it will no longer auto-renew moving forward.

 

Thanks!

-Dennis M.

Thanks for that bit of insight about auto-renewal Dennis!