Cisco Cisco Email Security Appliance C650 Guía Del Usuario
15-27
Cisco AsyncOS 8.0 for Email User Guide
Chapter 15 Data Loss Prevention
RSA Enterprise Manager
Generating Client and Server Certificates using RSA’s Certificate Tool
RSA provides a certificate generation tool that you can use to generate a single .p12 file that you can use
as both the server and client certificate for the connection. If you want to use different certificates for
the appliance and the Enterprise Manager server, you must get them from another source.
as both the server and client certificate for the connection. If you want to use different certificates for
the appliance and the Enterprise Manager server, you must get them from another source.
This tool creates and stores two files on the Enterprise Manager server: the .p12 certificate file and a
.pem certificate file. If you want to use the .p12 file, you must also import the .pem file onto the Email
Security appliance as a certificate authority list.
.pem certificate file. If you want to use the .p12 file, you must also import the .pem file onto the Email
Security appliance as a certificate authority list.
For more information, see the RSA documentation.
Procedure
Step 1
Open a command prompt on the Enterprise Manager server.
Step 2
Change to
C:\Program Files\RSA\Enterprise Manager\etc
.
Step 3
Run the following command:
"%JAVA_HOME%/bin/java" -cp ./emcerttool.jar
com.rsa.dlp.tem.X509CertGenerator -clientservercasigned -cacn <NAME OF CAPROVIDED DURING
INSTALL> -cakeystore catem-keystore -castorepass <PASSWORD FOR CA PROVIDED DURING
INSTALL> -cn <DEVICE_CN> -storepass <DEVICE STORE PASSWORD> -keystore <NAME OF DEVICE
STORE>
Note
The common name of the certificate must be the hostname of the Email Security appliance.
If Enterprise Manager manages the connected Email Security appliances at the group or cluster
level, each appliance requires a certificate with a Common Name that matches the hostname of
that appliance.
A sample command may look like the following:
"%JAVA_HOME%/bin/java" -cp ./emcerttool.jar
com.rsa.dlp.tem.X509CertGenerator -clientservercasigned -cacn emc-cisco
-cakeystore catem-keystore -castorepass esaem -cn ironport -storepass esaem
-keystore device-store
You can also use the following additional command-line switches:
-org <value in double quotes if it contains space>
-orgunit <value in double quotes if it contains space>
-title <value in double quotes if it contains space>
-validity <number of days>
This procedure outputs the <
device-store>.p12
file to the same folder.
This .p12 file is the certificate that you will upload to the Email Security appliance.