Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4696
Views
0
Helpful
5
Replies

Import Certificate ESA

SupportAC
Level 1
Level 1

‎01-10-2018 05:49 AM - edited ‎03-08-2019 07:31 PM

Hi,

 

We are trying to import a certificate in our ESA, this certificate will be used to encrypt the connection with the another peer, so this certificate is from the other end. Do we need the another certificate´s peer???Currently mails are going in plain-text. Im trying to import the certificate in pkcs12 but i get this error: "Invalid certificate".

 

Why i can get this error??

 

Regards.

Labels:
0 Helpful
5 Replies 5

Libin Varghese
Cisco Employee
Cisco Employee

‎01-10-2018 07:02 AM

The certificate to be installed on the ESA is what the ESA would offer when negotiating TLS.

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

 

The Invalid Certificate error can be generated due to multiple causes:
1. If you edited the certificate manually through a source other than the IronPort, then please check with that software vender to verify if the certificate was generated properly using their software (also make sure that the certificate contains the private key).
2. If you generated the CSR from the IronPort, took it to your (CA), and now trying to upload it back into the IronPort, then verify that you are uploading it into the Certificate Profile in which you created the CSR.
3. Certificates are imported in PKCS#12 format, however if you are applying a signed certificate for a CSR generated from the Ironport it has to be in PEM format.

 

Regards,

Libin Varghese 

0 Helpful

SupportAC
Level 1
Level 1
In response to Libin Varghese

‎01-10-2018 07:29 AM

I explain:

We have our certificate in our ESA to say who we are. But, the other end has given us its certificate so that we import it in our ironport and in this way trust them for better encryption security since it is currently in plain text. I think this makes no sense.

 

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to SupportAC

‎01-10-2018 07:32 AM

Hi there,
I guess you are talking SMIME gateway to SMIME gateway encryption ?
In that case you would need to import the SMIME gateway certificate and perform the required steps in mail polices SMIME to set it up.
0 Helpful

SupportAC
Level 1
Level 1
In response to marc.luescherFRE

‎01-10-2018 07:53 AM

We dont have any SMIME. We would like to encrypt the mails (actually sms goes in plain text) between two diferent sites. So the other customer gave us his certificate in order to import in our ESA and cypher this mails. how could we do that??

0 Helpful

Ken Stieers
VIP
VIP
In response to SupportAC

‎01-10-2018 08:03 AM

What kind of encryption do you want to use?

If you're going to SMIME the mail items, you need their cert. The messages will be encrypted in flight, and each one decrypted separately on their end, but the SMTP/TCP connection won't necessarily be encrypted. (eg. This is like an ftp or http download or upload of an encrypted file)



If you just want to use TLS, you don't need their cert, just go to Mail Polices/Destination Controls, create an entry for their domain(s), and set TLS stupor to Required. The CONNECTION will be encrypted, but the individual emails won't be. (eg this is like downloading/uploading an unencrypted file over https)




0 Helpful
Customers Also Viewed These Support Documents