Cisco Cisco Email Security Appliance X1050 Guía Para Resolver Problemas
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Background Information
The TLS implementation on the ESA provides privacy for point-to-point transmission of emails through
encryption. It allows an administrator to import a certificate and private key from a Certificate Authority (CA)
service, or use a self-signed certificate.
encryption. It allows an administrator to import a certificate and private key from a Certificate Authority (CA)
service, or use a self-signed certificate.
Cisco AsyncOS for Email Security supports the STARTTLS extension to Simple Mail Transfer Protocol
(SMTP) (Secure SMTP over TLS).
(SMTP) (Secure SMTP over TLS).
Tip
: For more information about TLS, refer to RFC 3207.
Note
: This document describes how to install certificates at the cluster level with the use of the Centralized
Management feature on the ESA. Certificates can be applied at the machine level as well; however, if the
machine is ever removed from the cluster and then added back, the machine-level certificates will be lost.
machine is ever removed from the cluster and then added back, the machine-level certificates will be lost.
Functional Overview and Requirements
An administrator might desire to create a self-signed certificate on the appliance for any of these reasons:
In order to encrypt the SMTP conversations with other MTAs that use TLS (both inbound and
outbound conversations)
outbound conversations)
•
In order to enable the HTTPS service on the appliance for access to the GUI via HTTPS
•
For use as a client certificate for Lightweight Directory Access Protocols (LDAPs), if the LDAP
server requires a client certificate
server requires a client certificate
•
In order to allow secure communication between the appliance and the Rivest-Shamir-Addleman
(RSA) Enterprise Manager for Data Loss Protection (DLP)
(RSA) Enterprise Manager for Data Loss Protection (DLP)
•
In order to allow secure communication between the appliance and a Cisco Advanced Malware
Protection (AMP) Threat Grid Appliance
Protection (AMP) Threat Grid Appliance
•
The ESA comes pre-configured with a demonstration certificate that can be used in order to establish TLS
connections.
connections.
Caution
: While the demonstration certificate is sufficient for the establishment of a secure TLS connection,
be aware that it cannot offer a verifiable connection.
Cisco recommends that you obtain an X.509, or Privacy Enhanced Email (PEM) certificate from a CA. This
might also be referred to as an Apache certificate. The certificate from a CA is desirable over the self-signed
certificate because a self-signed certificate is similar to the previously mentioned demonstration certificate,
which cannot offer a verifiable connection.
might also be referred to as an Apache certificate. The certificate from a CA is desirable over the self-signed
certificate because a self-signed certificate is similar to the previously mentioned demonstration certificate,
which cannot offer a verifiable connection.