Cisco Cisco AMP Threat Grid 5500 Appliance Installation Guide
Cisco AMP Threat Grid Appliance Administrator's Guide
SSL CERTIFICATES AND THREAT GRID APPLIANCES
SSL CERTIFICATES AND THREAT GRID APPLIANCES
22
The certificates on the Threat Grid Appliance that are used for inbound SSL connections are configured in the
SSL Certificate Configuration page. The SSL certificates for the Clean and Admin interfaces can be
configured independently.
SSL Certificate Configuration page. The SSL certificates for the Clean and Admin interfaces can be
configured independently.
Select OpAdmin > Configuration > SSL. The SSL Certificate configuration page opens:
Figure 10 - SSL Certificate Configuration Page
There are two SSL certificates in the illustration above: "ThreatGRID Application" is the Clean interface, and
"Administration Portal" is the Admin interface.
"Administration Portal" is the Admin interface.
CN Validation
In the SSL Certificate Configuration page, a colored padlock icon indicates the status of the SSL certificates on
the TG Appliance. The hostname must match the CN (“Common Name”) used in the SSL certificate. If they do
not match, you will need to replace the certificate with one that uses the current hostname. See Replacing an
SSL Certificate below.
the TG Appliance. The hostname must match the CN (“Common Name”) used in the SSL certificate. If they do
not match, you will need to replace the certificate with one that uses the current hostname. See Replacing an
SSL Certificate below.
•
The green padlock icon indicates that the Clean interface hostname matches the CN ("Common
Name") used in the SSL certificate.
Name") used in the SSL certificate.
•
The yellow padlock icon is a warning that the Admin interface hostname does NOT match the CN in that
SSL certificate. You will need to replace the certificate with one that uses the current hostname.
SSL certificate. You will need to replace the certificate with one that uses the current hostname.
Replacing an SSL Certificate
SSL certificates usually need to be replaced at some time, for a variety of reasons. For example, they expire, or
the hostname changes. An SSL certificate may also need to be added or replaced in order to support
integrations between the Threat Grid Appliance and other Cisco devices and services.
the hostname changes. An SSL certificate may also need to be added or replaced in order to support
integrations between the Threat Grid Appliance and other Cisco devices and services.
ESA/WSA appliances and other CSA Cisco integrating devices may require an SSL certificate in which the
Common Name matches the Threat Grid Appliance hostname.
Common Name matches the Threat Grid Appliance hostname.
In this case, you will need to replace the default
SSL certificate and generate a new one using the same hostname from which you'll be accessing the Threat Grid
Appliance.
Appliance.