Hi Jernej,

I have install the cert that received from CA on ironport. 

We have follow the guide from link below:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

Is there anything else that i have missed?

Hi, have you solved the problem?

Did you check the hostname specified on GUI->Network->IP interface that correlates to Listener->Certificate that it matches hostname specified in the certificate as Libin suggested?

Also double check you uploaded complete certificate chain (root CA + intermediate CA): GUI->Network->Certificates.

Hi Libin,

Cert NOT VALIDATED: unable to get local issuer certificate
[001.929] this may help: What Is An Intermediate Certificate
[001.930] So email is encrypted but the domain is not verified
[001.930] Cert Hostname DOES NOT VERIFY (hq.test.com != test.com)
[001.930] So email is encrypted but the host is not verified
[001.931]

This details have been highlight when im using checktls.

Could you advice me, what else that missing in our TLS configuration.

Thanks,

Abdul Hadi

Hi Abdul,

The error mentioned above suggests that the hostname on the certificate did not match the hostname on the certificate.

Cert Hostname DOES NOT VERIFY (hq.test.com != test.com)

This would fail verification when the hostnames are compared for verification.

Thanks

Libin

Hi Libin,

i have try to change the hostname on the ironport interface to the test.com but still got a same result.

This certificate is used for two domains. (test.com and test1.com)

i also have reupload the cert signed certificate and intermediate certificate.

is there anything else should i take a look?

Thanks,

Hadi

Hello Hadi,

The CN of the certificate should match your IP Interface hostname, which should also match your MX record. If you have multiple domains/hostnames and/or MX records, you should obtain a SAN certificate and include all of those.

Thanks!

-Dennis M.

Hello Dennis,

My cert Information:

Common Name: test.com

Subject Alternative Name: test.com, test1.com

I have multiple hostname (3 appliance):

hq01test.hq.org ,  hq02test.hq.org , hq03test.hq.org

I have 2 MX record:

1. HQ.test.com

2. DR.test.com

Appliance Certificates status : Active

Based on information above, kindly advice where should i change?

Thanks,

Hadi

Hi Hadi,

"A records" needs to match. Do you have three corresponding A records named

hq01test.hq.org,  hq02test.hq.org and hq03test.hq.org?

If you have them then you have two options:

1. Add SAN names hq01test.hq.org,  hq02test.hq.org and hq03test.hq.org to certificate - you'll need to regenerate it.

2. Get wildcard certificate for hq.org

Hello Jernej,

The following hostnames: hq01test.hq.org,  hq02test.hq.org and hq03test.hq.org are tied which internal DNS (hq.org).

Is it possible to add these records in SAN names to certificate? Kindly advise.

Thanks.

Hadi