TLS Cert question

Greg.Howley · ‎02-23-2017

I have two ESAs that I am doing some pre-config on & want to get SSL Certs for TLS. They are not yet clustered, that will not happen til they are delivered to the prod data centers.

I have to send the CSR to the owner of the domain to purchase the cert. Will one cert be sufficient? Do I have to wait until they are clustered?

Libin Varghese · ‎02-23-2017

For appliances in a cluster you can configure different certificates on each machine but give the certificate profile the same name. For example, if your appliances have different hostnames/MX records then you can create machine level certificate profiles and then refer to this one name at cluster level when you enable TLS. For example:

Machine Level:

mx1.example.com, in machine mode for mx1, import/generate a CSR a certificate with CN=mx1.example.com into a profile called “example.com”

mx2.example.com, in machine mode for mx2, import/generate a CSR a certificate with CN=mx2.example.com into a profile called “example.com"

Cluster Level:

Network > Listeners > click the name of a listener > choose the certificate profile “example.com"

To configure the certificates at the cluster level for mail flow I have included these instructions below:

For Inbound TLS:

* Go to Network > Listeners

* Click the name of a listener

* Choose the certificate name configure above

* Submit this page

* Repeat for any other applicable listeners

For Outbound TLS

* Go to Mail Policies > Destination Controls

* Click on Edit Global Settings

* Choose the certificate name configure above

* Submit this page

I have included the following article linked below for reference and further details regarding configuring TLS on the ESA.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

Thanks!

Libin Varghese