cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2822
Views
0
Helpful
2
Replies
Highlighted
Beginner

How to replace system default certificates on a C170 with AsyncOs 9.1.1?

Our ESA is working, but has the default Cisco SSL certificates.

We have our own certificate from a commercial CA, but it's only used for the admin page.

How do we apply the certificate everywhere it should be?

I think it's done by going to:

Mail Policies—>Destination Controls—> Global Settings

Network—>Listeners—>Select Configured Listener—>Modify Certificate to use

System Administration—>LDAP—>Edit Global settings

Is that correct?

Also, how do I confirm the certificate change is successful and how do I revert it if it fails?

Will a failed import cause an email outage?

Does the ESA need to be restarted to apply the change?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Hello,

You can use our TLS setup guide here with regards to how to change the certificate with which services : Specify the Certificate for Use with ESA Services

Also, to answer your other questions :

1) Typically if you make the change on the service by selecting the new certificate, and then submit/commit, you can be sure it's being applied. If you really wanted to dive deeper you can run a packet capture and see exactly which certificate is being offered from the ESA. To revert, you can do the same steps in reverse and select the old certificate, and then submit/commit.

2) Simply importing the certificate will not cause any outage. 

3) Nope, as soon as you submit/commit the change is applied. No restart is needed.

Thanks!

-Dennis M.

View solution in original post

Highlighted
Cisco Employee

Hi,

The certificates are configured at the below locations.

  • Network > Listeners >  Then name of the listener > Certificate (Inbound Mail Flow)
  • Mail Polices > Destination Controls > Edit Global Settings > Certificate (Outbound Mail Flow)
  • Network > IP Interface > Choose interface associated with GUI access > HTTPS Certificate (GUI Access)
  • System Administration > LDAP > Edit Settings > Certificate (LDAP Server)

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118923-technote-esa-00.html

The certificate is stored in the device configuration file.  Simply save that file and choose to unmask the passwords. Loading back the configuration file would change it back.

The certificate would not become applicable till the changes are committed and although valid certificates should not result in an email outage, the outcome would depend on the certificate.

Thanks

Libin Varghese

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Hello,

You can use our TLS setup guide here with regards to how to change the certificate with which services : Specify the Certificate for Use with ESA Services

Also, to answer your other questions :

1) Typically if you make the change on the service by selecting the new certificate, and then submit/commit, you can be sure it's being applied. If you really wanted to dive deeper you can run a packet capture and see exactly which certificate is being offered from the ESA. To revert, you can do the same steps in reverse and select the old certificate, and then submit/commit.

2) Simply importing the certificate will not cause any outage. 

3) Nope, as soon as you submit/commit the change is applied. No restart is needed.

Thanks!

-Dennis M.

View solution in original post

Highlighted
Cisco Employee

Hi,

The certificates are configured at the below locations.

  • Network > Listeners >  Then name of the listener > Certificate (Inbound Mail Flow)
  • Mail Polices > Destination Controls > Edit Global Settings > Certificate (Outbound Mail Flow)
  • Network > IP Interface > Choose interface associated with GUI access > HTTPS Certificate (GUI Access)
  • System Administration > LDAP > Edit Settings > Certificate (LDAP Server)

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118923-technote-esa-00.html

The certificate is stored in the device configuration file.  Simply save that file and choose to unmask the passwords. Loading back the configuration file would change it back.

The certificate would not become applicable till the changes are committed and although valid certificates should not result in an email outage, the outcome would depend on the certificate.

Thanks

Libin Varghese

View solution in original post