Cisco Cisco Email Security Appliance C160 Guía Del Usuario
21-3
Cisco AsyncOS 8.5 for Email User Guide
Chapter 21 Encrypting Communication with Other MTAs
Obtaining Certificates
Warning
Your appliance ships with a demonstration certificate to test the TLS and HTTPS functionality, but
enabling either service with the demonstration certificate is not secure and is not recommended for
general use. When you enable either service with the default demonstration certificate, a warning
message is printed in the CLI.
enabling either service with the demonstration certificate is not secure and is not recommended for
general use. When you enable either service with the default demonstration certificate, a warning
message is printed in the CLI.
Intermediate Certificates
In addition to root certificate verification, AsyncOS supports the use of intermediate certificate
verification. Intermediate certificates are certificates issued by a trusted root certificate authority which
are then used to create additional certificates - effectively creating a chained line of trust. For example,
a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a
trusted root certificate authority. The certificate issued by godaddy.com must be validated against
godaddy.com’s private key as well as the trusted root certificate authority’s private key.
verification. Intermediate certificates are certificates issued by a trusted root certificate authority which
are then used to create additional certificates - effectively creating a chained line of trust. For example,
a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a
trusted root certificate authority. The certificate issued by godaddy.com must be validated against
godaddy.com’s private key as well as the trusted root certificate authority’s private key.
Certificates and Centralized Management
A certificate usually uses the local machine’s hostname for the certificate’s common name. If your Email
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.
Creating a Self-Signed Certificate using the GUI
You might want to create or import a certificate on the appliance for any of the following reasons:
•
To encrypt SMTP conversations with other MTAs using TLS (both inbound and outbound
conversations).
conversations).
•
To enable the HTTPS service on the appliance for accessing the GUI using HTTPS.
•
Use as a client certificate for LDAPS if the LDAP server asks for a client certificate.
•
To allow secure communication between the appliance and RSA Enterprise Manager for DLP.
Procedure
Step 1
Navigate to the Network > Certificates page.
Step 2
Click Add Certificate.
Step 3
Select Create Self-Signed Certificate.
shows the Add Certificate page with the Create Self-Signed Certificate option selected.