Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3008
Views
0
Helpful
2
Replies

New SSL certificate for M670 process?

Go to solution
Jason Meyer
Level 1
Level 1

‎11-04-2013 02:14 PM

Can someone help me with the current process for installing a new certificate on an M670 running 8.1.0-476?  Do I still use OPENSSL to generate the private key, and then get the certificate signed and import the certificate via CLI, pem format?

Can I install a SAN certificate?  I have one DNS name spam.domain.com for the two (internal and external) SPAM quarantine interfaces and another name mspam.domain.com for the management interface.

Appreciate the input, I only do this every three years and the process has changed the last two times and I find nothing in the documentation. 

Jason

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎11-08-2013 07:21 AM

Jason -

You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.

Had previous saved notes for similar questions in the past --- see if this helps:

For full create and install:

http://tools.cisco.com/squish/39054

Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.

  • On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates

    Detailed description how to generate a certificate can be found within the knowledge base article 1634.

    It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  • Use GUI: Network > Certificates > Export Certificates to export certificate.

    Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  • To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:

    openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes

    Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.

    Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  • After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.

    To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  • The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.

Let me know!

-Robert

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎11-08-2013 07:21 AM

Jason -

You can use a SAN certificate - as long as the machine names are specified and signed off in the cert by your signer.

Had previous saved notes for similar questions in the past --- see if this helps:

For full create and install:

http://tools.cisco.com/squish/39054

Starting with AsyncOS version 7.1 it is possible to generate a self-signing request on the ESA appliance. This can be used as a workaround to create certificates for SMAs.

  • On an ESA, create a self-signed certificate that will be used for the SMA. This can be done under GUI: Network > Certificates

    Detailed description how to generate a certificate can be found within the knowledge base article 1634.

    It is important, when creating a certificate, for common name to use the hostname of the SMA (M-Series) and not of the ESA (C-Series), so that the certificate can be properly used. Submit and commit changes.
  • Use GUI: Network > Certificates > Export Certificates to export certificate.

    Give it a file name (e.g. mycert) and password that will be used when converting the certificate. Exported certificate will be in .pfx format. The M-Series only supports .pem format for importing, so this certificate needs to be converted.
  • To convert certificate from .pfx format to .pem format, please use the following OpenSSL syntax:

    openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes

    Windows version of OpenSSL can be downloaded from:http://www.slproweb.com/products/Win32OpenSSL.html  Make sure Visual C++ 2008 Redistributable is installed first before the OpenSSL Win32.

    Versions for Mac, Linux, and other operation systems can be downloaded from http://www.openssl.org/source/
  • After converting the certificate to the correct format, one should now have available both - the certificate and the corresponding key in .pem format. It is recommended to sign it by a trusted Certification Authority (CA). Cisco doesn't recommend a specific CA, this is up to the choice of the customer.

    To have this signed, simply select "Download certificate signing request" in the GUI of the ESA (Network > Certificates >select the corresponding certificate created for the SMA) and submit it to the trusted CA of choice.
  • The signed certificate or the self-signed certificate, and the key in .pem format, can be imported now in the SMA. To learn how to do it, please use the corresponding Installing Certificates on an IronPort Email Security Appliance.

Let me know!

-Robert

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Jason Meyer
Level 1
Level 1
In response to Robert Sherwin

‎12-11-2013 11:57 AM

Thanks Robert, Got r done.

0 Helpful
Customers Also Viewed These Support Documents