Cisco Cisco Email Security Appliance C170 Betriebsanweisung
29-5
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 29 FIPS Management
Managing Certificates and Keys
1. DEFAULT 512
To be FIPS compliant, you must modify the above listed objects to meet FIPS
requirements. For more information, see the FIPS Management chapter in the Cisco
AsyncOS Email User Guide.
FIPS mode is currently disabled.
Managing Certificates and Keys
You can encrypt communications between your appliance and external machines by using a certificate
and private key pair. You can upload an existing certificate and key pair, generate a self-signed
certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate authority to obtain
a public certificate. The certificate authority will return a trusted public certificate signed by a private
key that you can then upload onto the appliance.
and private key pair. You can upload an existing certificate and key pair, generate a self-signed
certificate, or generate a Certificate Signing Request (CSR) to submit to a certificate authority to obtain
a public certificate. The certificate authority will return a trusted public certificate signed by a private
key that you can then upload onto the appliance.
The appliance’s FIPS mode adds a number of restrictions to the certificates that the appliance uses in
order for the appliance to be FIPS compliant. Certificates must use one of the following signature
algorithms: SHA-256, SHA-384, and SHA-512.
order for the appliance to be FIPS compliant. Certificates must use one of the following signature
algorithms: SHA-256, SHA-384, and SHA-512.
The appliance will not import certificates that do not use one of these algorithms. It also cannot be
switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an
error message instead.
switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an
error message instead.
A
Non-FIPS
status for a certificate will be displayed in both the CLI and the GUI when the appliance is
in FIPS mode. When selecting a certificate to use for a feature, such as a listener or destination control,
the appliance does not display non-compliant certificates as an option.
the appliance does not display non-compliant certificates as an option.
See
for more information on using certificates on your appliance.
You can use FIPS-compliant certificates with any of the following services:
•
SMTP receiving and delivery. Use the Network > Listeners page (or the
listenerconfig -> edit
-> certificate
CLI command) to assign the certificate to any listeners that require encryption
using TLS. You may want to only enable TLS on listeners facing the Internet (that is, public
listeners), or you may want to enable encryption for all listeners, including internal systems (that is,
private listeners).
listeners), or you may want to enable encryption for all listeners, including internal systems (that is,
private listeners).
•
Destination controls. Use the Mail Policies > Destination Controls page (or the
destconfig
CLI
command) to assign the certificate as a global setting to for all outgoing TLS connections for email
delivery.
delivery.
•
Interfaces. Use the Network > IP Interfaces page (or the
interfaceconfig
CLI command) to
enable the certificate for HTTPS services on an interface, including the management interface.
•
LDAP. Use the System Administration > LDAP page to assign the certificate for all LDAP traffic
that requires TLS connections. The appliance can also use LDAP for external authentication of
users.
that requires TLS connections. The appliance can also use LDAP for external authentication of
users.
Managing Keys for DKIM Signing and Verification
For an overview of how DomainKeys and DKIM work on the Email Security appliance, see
.
Related Topics
•