Cisco Cisco Email Security Appliance C160 Mode D'Emploi
21-2
Cisco AsyncOS 8.5 for Email User Guide
Chapter 21 Encrypting Communication with Other MTAs
Obtaining Certificates
How to Encrypt SMTP Conversations using TLS
Obtaining Certificates
To use TLS, the Email Security appliance must have an X.509 certificate and matching private key for
receiving and delivery. You may use the same certificate for both SMTP receiving and delivery and
different certificates for HTTPS services on an interface, the LDAP interface, and all outgoing TLS
connections to destination domains, or use one certificate for all of them.
receiving and delivery. You may use the same certificate for both SMTP receiving and delivery and
different certificates for HTTPS services on an interface, the LDAP interface, and all outgoing TLS
connections to destination domains, or use one certificate for all of them.
You may purchase certificates and private keys from a recognized certificate authority service. A
certificate authority is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity. Cisco does not recommend one service over another.
certificate authority is a third-party organization or company that issues digital certificates used to verify
identity and distributes public keys. This provides an additional level of assurance that the certificate is
issued by a valid and trusted identity. Cisco does not recommend one service over another.
The Email Security appliance can create a self-signed certificate for your own use and generate a
Certificate Signing Request (CSR) to submit to a certificate authority to obtain the public certificate. The
certificate authority will return a trusted public certificate signed by a private key. Use the Network >
Certificates page in the GUI or the
Certificate Signing Request (CSR) to submit to a certificate authority to obtain the public certificate. The
certificate authority will return a trusted public certificate signed by a private key. Use the Network >
Certificates page in the GUI or the
certconfig
command in the CLI to create the self-signed certificate,
generate the CSR, and install the trusted public certificate.
If you are acquiring or creating a certificate for the first time, search the Internet for “certificate authority
services SSL Server Certificates,” and choose the service that best meets the needs of your organization.
Follow the service’s instructions for obtaining a certificate.
services SSL Server Certificates,” and choose the service that best meets the needs of your organization.
Follow the service’s instructions for obtaining a certificate.
You can view the entire list of certificates on the Network > Certificates page in the GUI and in the CLI
by using the
by using the
print
command after you configure the certificates using
certconfig
. Note that the
print
command does not display intermediate certificates.
Table 21-1
How to Encrypt SMTP Conversations using TLS
Do This
More Info
Step 1
Obtain an X.509 certficate and private key from
a recognized certificate authority.
a recognized certificate authority.
Step 2
Install the certificate on the Email Security
appliance
appliance
Install a certificate by either:
•
•
Step 3
Enable TLS for receiving messages, delivering
messages, or both
messages, or both
•
•
Step 4
(Optional) Customize the list of trusted
certificate authorities that the appliane uses to
verify a certificate from a remote domain to
establish the domain’s credentials.
certificate authorities that the appliane uses to
verify a certificate from a remote domain to
establish the domain’s credentials.
Step 5
(Optional) Configure the Email Security
appliance to send an alert when it’s unable to
deliver messages to a domain that requires a
TLS connection.
appliance to send an alert when it’s unable to
deliver messages to a domain that requires a
TLS connection.