Cisco Cisco Email Security Appliance C680 User Guide

AsyncOS restricts the following CLI commands when the Email Security 
appliance is in FIPS compliance mode:

certconfig

. The 

certificate

 subcommand only prints the certificates 

assigned to services. The 

certauthority

 subcommand has no restrictions.

domainkeysconfig

. The 

key

 subcommand is restricted to the 

publickey

, 

print

, and 

list

 operations. The 

profiles

 subcommand does not allow the 

generation of keys interactively.

sslconfig

. This command only prints the configured settings.

loadconfig

. AsyncOS ignores any certificate and key pairs or signing keys 

found in an uploaded XML file.

When you initialize an HSM card, the card generates a new master key. If you 
want to transfer certificates or signing keys from one Email Security appliance to 
another, you must first clone the master key from one HSM card (the source 
appliance) to another HSM card (the target appliance). Certificates and keys 
generated on one Email Security appliance will not work on another appliance if 
the HSM cards have different master keys. Cloning the master key allows 
appliances to share certificates and keys.

If you are clustering appliances, you might want to clone the master key between 
HSM cards if you want the clustered appliances to use the same certificates for 
TLS and HTTPS connections. 

restore

Restores certificates and keys from an XML file to the 
HSM card.

For more information, see 

.

passwd

Changes the FIPS Officer password.