Re: renew Cluster certificate

AliJamadar · ‎07-14-2020

Hi there,

can someone help me how to renew Cluster Certificate on cluster. and what will impact if it fails.

jrod1999 · ‎07-14-2020

First off the Manual info is here to start.

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_011001.html?bookSearch=true

Check out what your current certificate is using a wildcard or each ESA has its own cert common name.

Certificates are used in 4 locations for cluster mode. You need to take note of the 'Name' used in all of them.

For Inbound TLS:

1) Go to Network -> Listeners

2) Click on the name of your listener

3) Select the certificate in the "Certificate" drop down

4) Submit this page

5) Repeat steps 1-4 for any other listeners

6) Commit the changes

For Outbound TLS:

1) Go to Mail Policies -> Destination Controls -> Edit Global Settings

2) Select the certificate in the "Certificate" drop down

3) Submit this page

4) Commit the changes

For HTTPS:

1) Go to Network -> IP Interfaces

2) Click on the name of your IP Interface

3) Select the certificate in the "HTTPS Certificate" drop down

4) Submit this page

5) Repeat steps 1-4 for any other applicable interfaces

6) Commit the changes

For LDAPS:

1) Go to System Administration -> LDAP -> Edit Settings

2) Select the certificate in the "Certificate" drop down

3) Submit this page

4) Commit the changes

When you import the new one and commit it to the cluster, use a name other than the one above for initial staging. Make sure each machine has the same name being used.

1. You can then rename the names of the old with the new. Quick swap.

eg: Certificate-prod > Certificate-old

2. Or use the current new name of the cert, and go change the settings to use the new name cert (from the top of this reply).

When you think you have one complete utilize this site to check certificates: http://www.checktls.com/perl/TestReceiver.pl

-Hope this helps

-Jared H.
FireJumper Elite #161

charella · ‎07-14-2020

Hello AliJamadar,

To renew and existing CA Signed Certificate is a minor action although there are many things to take into account.
jrod1999 provided great information about installing a certificate for replacement and much of that applies to what you will encounter.

To renew the SAME certificate with the SAME Certificate Authority only requires you save and submit the current CSR (Certificate Signing Request).

* Always save the configuration (encrypted format) on the esa and off the esa to your computer. For a quick restore if something fails during the work.
* Download the CSR from your existing Certificate profile.
* Submit the certificate to the same CA for signing.
* When the CA returns the Signed certificate simply load it to the existing Certificate profile and submit.
* Return to the same Certificate profile and check the Certificate Chain.
* “Signature issued by: value” should match the next intermediate certificate “Issued To: value”
* Repeat the previous “issued by” <> “issued to” of the next intermediate certificate to ensure the values match.
If the NEW signed certificate has changed the “Signature Issued by:value,” then you will need to replace the intermediate certificates to match.

* Once completed commit the changes.

------ Potential for failures.

* expired certificate = potential for rejection
* certificate with improper chain = potential for rejection.
Risk of changing the certificate – I’ve only observed LDAP twice in many years not use the new certificate after change.
It would require a service restart or reboot if that rare situation occurs.

Open a ticket if you would like to ensure success.