Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2542
Views
10
Helpful
4
Replies

TLS certificate for CES cluster

garndt001
Level 1
Level 1

‎01-10-2018 12:06 PM - edited ‎03-08-2019 07:31 PM

We have a CES cluster with two ESA hosts.  We want a TLS certificate for our email domain xyz.com.

We have installed a third-party CA signed certificate with just our domain xyz.com and it works for TLS; however, the hostnames do not validate as they are not included in the cert.  We are not sure if this is really going to be a problem yet or not, but since we have over a thousand partners that require TLS, we need to be absolutely positive they will not reject our messages due to the hostnames not validating. 

 

For on-prem ESAs this was never an issue since we owned the hardware.  But now that we are trying CES where the hostnames are mx1.xx1234.<ciscoCEShost>.com, etc.. we are having problems using these hostnames in our certificates.  We were told by CES Activations that we need to use a wildcard cert to cover all the hosts, like *.xx1234.<ciscoCEShost>.com; then get our CA to send a DAL (domain authorization letter) to get Cisco's approval to use the domain in our cert.  But our company's IT Security department will not allow the use of a wildcard domain.  

Also our CA will not accept a CSR with a sub-domain of xx1234.<ciscoCEShost>.com

 

So what is the solution?  Are we the first company to run into this problem?

 

 

Labels:
0 Helpful
4 Replies 4

marc.luescherFRE
Spotlight
Spotlight

‎01-10-2018 01:03 PM

We are using machine certificates like hostname.domain.com on all our 4 CSR
enabled ESA and this works fine.

All ESA are in a cluster and we renamed the sending certificate on every ESA
to use the same name.

CSR could validate our setup and it worked fine. Wildcard certificates are
nice but not required,
0 Helpful

dmccabej
Cisco Employee
Cisco Employee

‎01-10-2018 07:39 PM

Hello,

 

The current certificate you're using is most likely working because most SMTP servers do not perform any type of TLS Certificate Verification. You will definitely run into problems if you send/receive from one of those that do.

 

If you're not allowed to setup a wildcard certificate, then a SAN certificate can be used in the rare circumstance that it is your only choice; however, either way you're going to still need to use the correct hostnames such as esa1.<allocation>.iphmx.com. The wildcard is preferred and recommended due to the nature of the CES environment and how ESA/s can be added/removed when needed, so you would want to make it future proof.

 

I would recommend either explaining to your Security team the entire situation, or choose another CA where you can obtain the proper certificate.

 

You may also wish to speak with your Account/Sales teams as they have been known to assist with these types of situations in the past. 

 

Thanks!

-Dennis M.

garndt001
Level 1
Level 1
In response to dmccabej

‎12-21-2018 08:40 AM

I wanted to update my original topic.   My understanding is that Cisco is now able to offer "Cisco Hydrant" certificates.   They would have all the host names and fqdn's needed for TLS.  Not sure yet if this is an option for my company but we will be investigating. 

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to garndt001

‎12-21-2018 10:26 AM

Hello,

 

That's correct, we now offer free SAN certificates for CES customers. The certificate is issued by Intermediate HydrantID SSL ICA G2 which is issued by Root QuoVadis Root CA 2. All you would need to do is create a TAC case and they can get it created and set up for you. For anyone that wishes to use another CA they can still purchase their own certificate. 

 

Thanks!

-Dennis M.

 

Customers Also Viewed These Support Documents