01-11-2017 10:50 AM
Our ESA is working, but has the default Cisco SSL certificates.
We have our own certificate from a commercial CA, but it's only used for the admin page.
How do we apply the certificate everywhere it should be?
I think it's done by going to:
Mail Policies—>Destination Controls—> Global Settings
Network—>Listeners—>Select Configured Listener—>Modify Certificate to use
System Administration—>LDAP—>Edit Global settings
Is that correct?
Also, how do I confirm the certificate change is successful and how do I revert it if it fails?
Will a failed import cause an email outage?
Does the ESA need to be restarted to apply the change?
Solved! Go to Solution.
01-11-2017 11:10 AM
Hello,
You can use our TLS setup guide here with regards to how to change the certificate with which services : Specify the Certificate for Use with ESA Services
Also, to answer your other questions :
1) Typically if you make the change on the service by selecting the new certificate, and then submit/commit, you can be sure it's being applied. If you really wanted to dive deeper you can run a packet capture and see exactly which certificate is being offered from the ESA. To revert, you can do the same steps in reverse and select the old certificate, and then submit/commit.
2) Simply importing the certificate will not cause any outage.
3) Nope, as soon as you submit/commit the change is applied. No restart is needed.
Thanks!
-Dennis M.
01-11-2017 11:12 AM
Hi,
The certificates are configured at the below locations.
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118923-technote-esa-00.html
The certificate is stored in the device configuration file. Simply save that file and choose to unmask the passwords. Loading back the configuration file would change it back.
The certificate would not become applicable till the changes are committed and although valid certificates should not result in an email outage, the outcome would depend on the certificate.
Thanks
Libin Varghese
01-11-2017 11:10 AM
Hello,
You can use our TLS setup guide here with regards to how to change the certificate with which services : Specify the Certificate for Use with ESA Services
Also, to answer your other questions :
1) Typically if you make the change on the service by selecting the new certificate, and then submit/commit, you can be sure it's being applied. If you really wanted to dive deeper you can run a packet capture and see exactly which certificate is being offered from the ESA. To revert, you can do the same steps in reverse and select the old certificate, and then submit/commit.
2) Simply importing the certificate will not cause any outage.
3) Nope, as soon as you submit/commit the change is applied. No restart is needed.
Thanks!
-Dennis M.
01-11-2017 11:12 AM
Hi,
The certificates are configured at the below locations.
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118923-technote-esa-00.html
The certificate is stored in the device configuration file. Simply save that file and choose to unmask the passwords. Loading back the configuration file would change it back.
The certificate would not become applicable till the changes are committed and although valid certificates should not result in an email outage, the outcome would depend on the certificate.
Thanks
Libin Varghese
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: