Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6857
Views
0
Helpful
2
Replies

How to replace system default certificates on a C170 with AsyncOs 9.1.1?

Go to solution
webabc123
Level 1
Level 1

‎01-11-2017 10:50 AM

Our ESA is working, but has the default Cisco SSL certificates.

We have our own certificate from a commercial CA, but it's only used for the admin page.

How do we apply the certificate everywhere it should be?

I think it's done by going to:

Mail Policies—>Destination Controls—> Global Settings

Network—>Listeners—>Select Configured Listener—>Modify Certificate to use

System Administration—>LDAP—>Edit Global settings

Is that correct?

Also, how do I confirm the certificate change is successful and how do I revert it if it fails?

Will a failed import cause an email outage?

Does the ESA need to be restarted to apply the change?

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎01-11-2017 11:10 AM

Hello,

You can use our TLS setup guide here with regards to how to change the certificate with which services : Specify the Certificate for Use with ESA Services

Also, to answer your other questions :

1) Typically if you make the change on the service by selecting the new certificate, and then submit/commit, you can be sure it's being applied. If you really wanted to dive deeper you can run a packet capture and see exactly which certificate is being offered from the ESA. To revert, you can do the same steps in reverse and select the old certificate, and then submit/commit.

2) Simply importing the certificate will not cause any outage. 

3) Nope, as soon as you submit/commit the change is applied. No restart is needed.

Thanks!

-Dennis M.

View solution in original post

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-11-2017 11:12 AM

Hi,

The certificates are configured at the below locations.

  • Network > Listeners >  Then name of the listener > Certificate (Inbound Mail Flow)
  • Mail Polices > Destination Controls > Edit Global Settings > Certificate (Outbound Mail Flow)
  • Network > IP Interface > Choose interface associated with GUI access > HTTPS Certificate (GUI Access)
  • System Administration > LDAP > Edit Settings > Certificate (LDAP Server)

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118923-technote-esa-00.html

The certificate is stored in the device configuration file.  Simply save that file and choose to unmask the passwords. Loading back the configuration file would change it back.

The certificate would not become applicable till the changes are committed and although valid certificates should not result in an email outage, the outcome would depend on the certificate.

Thanks

Libin Varghese

View solution in original post

0 Helpful
2 Replies 2

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎01-11-2017 11:10 AM

Hello,

You can use our TLS setup guide here with regards to how to change the certificate with which services : Specify the Certificate for Use with ESA Services

Also, to answer your other questions :

1) Typically if you make the change on the service by selecting the new certificate, and then submit/commit, you can be sure it's being applied. If you really wanted to dive deeper you can run a packet capture and see exactly which certificate is being offered from the ESA. To revert, you can do the same steps in reverse and select the old certificate, and then submit/commit.

2) Simply importing the certificate will not cause any outage. 

3) Nope, as soon as you submit/commit the change is applied. No restart is needed.

Thanks!

-Dennis M.

0 Helpful

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-11-2017 11:12 AM

Hi,

The certificates are configured at the below locations.

  • Network > Listeners >  Then name of the listener > Certificate (Inbound Mail Flow)
  • Mail Polices > Destination Controls > Edit Global Settings > Certificate (Outbound Mail Flow)
  • Network > IP Interface > Choose interface associated with GUI access > HTTPS Certificate (GUI Access)
  • System Administration > LDAP > Edit Settings > Certificate (LDAP Server)

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118923-technote-esa-00.html

The certificate is stored in the device configuration file.  Simply save that file and choose to unmask the passwords. Loading back the configuration file would change it back.

The certificate would not become applicable till the changes are committed and although valid certificates should not result in an email outage, the outcome would depend on the certificate.

Thanks

Libin Varghese

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents