Cisco Cisco Email Security Appliance C160 Mode D'Emploi
24-3
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 24 FIPS Management
Managing Keys for DKIM Signing and Verification
The appliance’s FIPS mode adds a number of restrictions to the certficates that the appliance uses in
order for the appliance to be FIPS compliant. Certificates must use one of the following signature
algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
order for the appliance to be FIPS compliant. Certificates must use one of the following signature
algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
The appliance will not import certificates that do not use one of these algorithms. It also cannot be
switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an
error message instead.
switched to FIPS mode if it has any non-compliant certificates in use on a listener. It will displays an
error message instead.
A
Non-FIPS
status for a certificate will be displayed in both the CLI and the GUI when the appliance is
in FIPS mode. When selecting a certificate to use for a feature, such as a listener or destination control,
the appliance does not display non-compliant certificates as an option.
the appliance does not display non-compliant certificates as an option.
See
for more information on using certficates on your appliance.
You can use FIPS-compliant certificates with any of the following services:
•
SMTP receiving and delivery. Use the Network > Listeners page (or the
listenerconfig -> edit
-> certificate
CLI command) to assign the certificate to any listeners that require encryption
using TLS. You may want to only enable TLS on listeners facing the Internet (that is, public
listeners), or you may want to enable encryption for all listeners, including internal systems (that is,
private listeners).
listeners), or you may want to enable encryption for all listeners, including internal systems (that is,
private listeners).
•
Destination controls. Use the Mail Policies > Destination Controls page (or the
destconfig
CLI
command) to assign the certificate as a global setting to for all outgoing TLS connections for email
delivery.
delivery.
•
Interfaces. Use the Network > IP Interfaces page (or the
interfaceconfig
CLI command) to
enable the certificate for HTTPS services on an interface, including the management interface.
•
LDAP. Use the System Administration > LDAP page to assign the certificate for all LDAP traffic
that requires TLS connections. The appliance can also use LDAP for external authentication of
users.
that requires TLS connections. The appliance can also use LDAP for external authentication of
users.
Managing Keys for DKIM Signing and Verification
For an overview of how DomainKeys and DKIM work on the Email Security appliance, see
.
DKIM Signing
When creating a DKIM signing key, you specify a key size. Email Security appliances in FIPS mode
only support the 1024, 1536, and 2048 bits key sizes. The larger key sizes is more secure; however, larger
keys can have an impact on performance.
only support the 1024, 1536, and 2048 bits key sizes. The larger key sizes is more secure; however, larger
keys can have an impact on performance.
The appliance cannot be switched to FIPS mode if it has any non-compliant RSA keys in use. It will
displays an error message instead.
displays an error message instead.
FIPS-compliant signing keys are available for use in domain profiles and appear in the Signing Key list
when creating or editing a domain profile using the Mail Policies > Domain Profiles page. Once you
have associated a signing key with a domain profile, you can create DNS text record which contains your
public key. You do this via the Generate link in the DNS Text Record column in the domain profile listing
(or via
when creating or editing a domain profile using the Mail Policies > Domain Profiles page. Once you
have associated a signing key with a domain profile, you can create DNS text record which contains your
public key. You do this via the Generate link in the DNS Text Record column in the domain profile listing
(or via
domainkeysconfig -> profiles -> dnstxt
in the CLI).