cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.2-020
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-239
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1117
Views
0
Helpful
2
Replies
AliJamadar
Beginner

renew Cluster certificate

Hi there, 

 

can someone help me how to renew Cluster Certificate on cluster. and what will impact if it fails.

 

 

2 REPLIES 2
jrod1999
Beginner

First off the Manual info is here to start.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_011001.html?bookSearch=true

 

Check out what your current certificate is using a wildcard or each ESA has its own cert common name. 

 

Certificates are used in 4 locations for cluster mode. You need to take note of the 'Name' used in all of them.

  • For Inbound TLS:

1) Go to Network -> Listeners

2) Click on the name of your listener

3) Select the certificate in the "Certificate" drop down

4) Submit this page

5) Repeat steps 1-4 for any other listeners

6) Commit the changes

 

  • For Outbound TLS:

1) Go to Mail Policies -> Destination Controls -> Edit Global Settings

2) Select the certificate in the "Certificate" drop down

3) Submit this page

4) Commit the changes

 

  • For HTTPS:

1) Go to Network -> IP Interfaces

2) Click on the name of your IP Interface

3) Select the certificate in the "HTTPS Certificate" drop down

4) Submit this page

5) Repeat steps 1-4 for any other applicable interfaces

6) Commit the changes

 

  • For LDAPS:

1) Go to System Administration -> LDAP -> Edit Settings

2) Select the certificate in the "Certificate" drop down

3) Submit this page

4) Commit the changes

 

When you import the new one and commit it to the cluster, use a name other than the one above for initial staging. Make sure each machine has the same name being used. 

1. You can then rename the names of the old with the new. Quick swap.

  • eg: Certificate-prod > Certificate-old

2. Or use the current new name of the cert, and go change the settings to use the new name cert (from the top of this reply).

 

When you think you have one complete utilize this site to check certificates: http://www.checktls.com/perl/TestReceiver.pl

 

-Hope this helps

-Jared H.
FireJumper Elite #161
charella
Cisco Employee

Hello AliJamadar,

To renew and existing CA Signed Certificate is a minor action although there are many things to take into account.
jrod1999 provided great information about installing a certificate for replacement and much of that applies to what you will encounter.


To renew the SAME certificate with the SAME Certificate Authority only requires you save and submit the current CSR (Certificate Signing Request).

* Always save the configuration (encrypted format) on the esa and off the esa to your computer. For a quick restore if something fails during the work.
* Download the CSR from your existing Certificate profile.
* Submit the certificate to the same CA for signing.
* When the CA returns the Signed certificate simply load it to the existing Certificate profile and submit.
* Return to the same Certificate profile and check the Certificate Chain.
* “Signature issued by: value” should match the next intermediate certificate “Issued To: value”
* Repeat the previous “issued by” <> “issued to” of the next intermediate certificate to ensure the values match.
If the NEW signed certificate has changed the “Signature Issued by:value,” then you will need to replace the intermediate certificates to match.

* Once completed commit the changes.

------ Potential for failures.

* expired certificate = potential for rejection
* certificate with improper chain = potential for rejection.
Risk of changing the certificate – I’ve only observed LDAP twice in many years not use the new certificate after change.
It would require a service restart or reboot if that rare situation occurs.


Open a ticket if you would like to ensure success.

Create
Recognize Your Peers
Content for Community-Ad