Cisco Cisco Email Security Appliance C650 Guía Del Usuario
1-9
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 1 FIPS Management
Supported Certificate Key Types
When an SSL session uses an RSA key, the key is protected by the HSM card.
When an SSL session uses a DSA key, the key is not protected by the HSM card.
The web interface and CLI prevent administrators from uploading certificates that
use DSA keys.
When an SSL session uses a DSA key, the key is not protected by the HSM card.
The web interface and CLI prevent administrators from uploading certificates that
use DSA keys.
Logging
For error messages related to FIPS management, read the FIPS Logs at the INFO
level.
level.
Centralized Management
If a cluster is started on a FIPS compliant appliance, only other FIPS compliant
appliances can join the cluster. The
appliances can join the cluster. The
fipsconfig
CLI command and private keys
are restricted to the machine level. The appliance that starts a cluster will not share
its private keys at the cluster-level or group-level.
its private keys at the cluster-level or group-level.
If you want the clustered appliances to use the same certificates and keys, you
must clone a single master key among all the appliances and distribute the
certificates and keys to them using the backup/restore function. For information
on cloning a master key, see
must clone a single master key among all the appliances and distribute the
certificates and keys to them using the backup/restore function. For information
on cloning a master key, see
. For information on clustering, see
Managing Certificates and Keys
AsyncOS allows you to encrypt SMTP conversations between listeners on the
appliance and remote hosts by using a certificate and private key pair. You can
upload an existing certificate and key pair, generate a self-signed certificate, or
generate a Certificate Signing Request (CSR) to submit to a certificate authority
to obtain a public certificate. The certificate authority will return a trusted public
certificate signed by a private key that you can then upload onto the appliance.
appliance and remote hosts by using a certificate and private key pair. You can
upload an existing certificate and key pair, generate a self-signed certificate, or
generate a Certificate Signing Request (CSR) to submit to a certificate authority
to obtain a public certificate. The certificate authority will return a trusted public
certificate signed by a private key that you can then upload onto the appliance.