Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2969
Views
10
Helpful
5
Replies

IronPort C195 Alert, Some unknown certificates will expire

Go to solution
Edward YU
Level 1
Level 1

‎08-12-2021 07:03 PM

Hello Community,

 

In my Email Security Gateway (IronPort C195), I just installed the self-signed certificates and did not enable the TLS. Recently I received the warnings like:

 

Your certificate "CA:Admin-Root-CA" will expire in 89 day(s).

Your certificate "CA:DST Root CA X3" will expire in 59 day(s).

 

I do not know where these certificates locate and why the warnings pop up. How can I solve this problem?

 

Thanks everyone.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
charella
Cisco Employee
Cisco Employee
In response to balaji.bandi

‎08-13-2021 07:01 AM

Edward YU

Are you on OS 14.0 ?
If yes, then…

There is a minor defect in the behavior of the certificate store.
The certificate store holds numerous intermediate and root certificates for worldwide Certificate Authorities.
The defect is that the expirations of the old certificates should be transparent, and a minor coding error revealed them.
Now the alerts have become a small nuisance to receive the alerts.

https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217221-esa-understanding-custom-ca-list-certifi.html

Thank you,
Chris

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-13-2021 03:30 AM

Follow this thread and renew your Certs :

 

https://community.cisco.com/t5/web-security/how-do-i-renew-an-expired-quot-issuing-ca-quot-cert-on-s170-wsa/td-p/3005082

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
charella
Cisco Employee
Cisco Employee
In response to balaji.bandi

‎08-13-2021 07:01 AM

Edward YU

Are you on OS 14.0 ?
If yes, then…

There is a minor defect in the behavior of the certificate store.
The certificate store holds numerous intermediate and root certificates for worldwide Certificate Authorities.
The defect is that the expirations of the old certificates should be transparent, and a minor coding error revealed them.
Now the alerts have become a small nuisance to receive the alerts.

https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217221-esa-understanding-custom-ca-list-certifi.html

Thank you,
Chris

Go to solution
Edward YU
Level 1
Level 1
In response to charella

‎08-17-2021 07:53 PM

I understand, thank you!

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎08-13-2021 06:55 AM

Those certs are in the root cert bundle that ships with the ESA.
You can see them by clicking on Network/Certificates, then at the bottom of that page, click on the "Manage Trusted Root Certificates" button.
These are here so that if you're sending mail, requiring TLS and requiring verification, the ESA can do that.
I suspect that Cisco will update the bundle soon and your ESA should go get it... but it's not there yet.

You can safely ignore this message... but if its too annoying, open a TAC case.

Go to solution
Edward YU
Level 1
Level 1
In response to Ken Stieers

‎08-17-2021 07:59 PM

Yes, you are right,

Cisco surely will update the bundle, as they write in the following link (the link charella post above):

https://www.cisco.com/c/en/us/support/docs/security/secure-email-gateway/217221-esa-understanding-custom-ca-list-certifi.html

 

"The system CA certificate bundle is updated automatically after upgrade and periodically, expiration of certificates in the custom list do not impact the working of certificates in the system list."

 

 

Thank you for your reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents