Cisco Cisco Email Security Appliance C160 Mode D'Emploi
24-16
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 24 Encrypting Communication with Other MTAs
Enabling a Certificate for HTTPS
Ensuring That the List of Trusted Certificate Authorities in Your Appliance are
Common Criteria-Compliant
Common Criteria-Compliant
To be Common Criteria-compliant, all the trusted certificate authorities installed (System and Custom
Lists) in your appliance must have the CA flag set to TRUE. Perform the following steps to ensure that
all the trusted certificate authorities installed in your appliance are Common Criteria-compliant.
Lists) in your appliance must have the CA flag set to TRUE. Perform the following steps to ensure that
all the trusted certificate authorities installed in your appliance are Common Criteria-compliant.
Step 1
After upgrading your appliance to AsyncOS 9.8, copy the updated system list from your appliance to the
host where you plan to access the web interface or the CLI. During the upgrade, the updated system list
(
host where you plan to access the web interface or the CLI. During the upgrade, the updated system list
(
systemca_with_ca_flag.pem
) is copied to the
/configuration
directory on your appliance.
Example
username$ scp admin@email.example.com:/configuration/systemca_with_ca_flag.pem .
admin@ email.example.com's password:
systemca_with_ca_flag.pem 100% 350KB 349.7KB/s 00:00
Step 2
If you are using a Custom List prior to the upgrade, do the following:
1.
Run the
certconfig
>
certauthority
>
custom
>
CHECK_CA_FLAG
command in the CLI to check if
the CA flag is set to TRUE on all the certificate authorities in the custom list. Depending on whether
the certificate authorities are compliant, do one of the following:
the certificate authorities are compliant, do one of the following:
–
If you find non-compliant certificate authorities, create a new custom list containing certificate
authorities with CA flag set to
authorities with CA flag set to
TRUE
and continue to Step
–
If you did not find any noncompliant certificate authorities, continue to Step
2.
Open the custom list in a text editor.
3.
Append the contents of the
systemca_with_ca_flag.pem
file to the custom list and save your
changes.
4.
Log in to your appliance using the web interface.
5.
Click Network > Certificates > Edit Certificate Authorities.
6.
Enable Custom List and upload the updated custom list.
7.
Disable System List.
8.
Submit and commit your changes.
Step 3
If you are not using a Custom List prior to the upgrade, do the following:
1.
Log in to your appliance using the web interface.
2.
Click Network > Certificates > Edit Certificate Authorities.
3.
Enable Custom List and upload the
systemca_with_ca_flag.pem
file.
4.
Disable System List.
5.
Submit and commit your changes.
Enabling a Certificate for HTTPS
You can enable a certificate for HTTPS services on an IP interface using either the Network > IP
Interfaces page in the GUI or the
Interfaces page in the GUI or the
interfaceconfig
command in the CLI.