Cisco Cisco Email Security Appliance C170 Mode D'Emploi
24-4
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 24 Encrypting Communication with Other MTAs
Working with Certificates
Certificates and Centralized Management
A certificate usually uses the local machine’s hostname for the certificate’s common name. If your Email
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.
Intermediate Certificates
In addition to root certificate verification, AsyncOS supports the use of intermediate certificate
verification. Intermediate certificates are certificates issued by a trusted root certificate authority which
are then used to create additional certificates - effectively creating a chained line of trust. For example,
a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a
trusted root certificate authority. The certificate issued by godaddy.com must be validated against
godaddy.com’s private key as well as the trusted root certificate authority’s private key.
verification. Intermediate certificates are certificates issued by a trusted root certificate authority which
are then used to create additional certificates - effectively creating a chained line of trust. For example,
a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a
trusted root certificate authority. The certificate issued by godaddy.com must be validated against
godaddy.com’s private key as well as the trusted root certificate authority’s private key.
Creating a Self-Signed Certificate
You might want to create a self-signed certificate on the appliance for any of the following reasons:
•
To encrypt SMTP conversations with other MTAs using TLS (both inbound and outbound
conversations).
conversations).
•
To enable the HTTPS service on the appliance for accessing the GUI using HTTPS.
•
Use as a client certificate for LDAPS if the LDAP server asks for a client certificate.
•
To allow secure communication between the appliance and RSA Enterprise Manager for DLP.
•
To allow secure communication between the appliance and a Cisco AMP Threat Grid Appliance.
To create a self-signed certificate using the CLI, use the
certconfig
command.
Procedure
Step 1
Select Network > Certificates.
Step 2
Click Add Certificate.
Step 3
Select Create Self-Signed Certificate.
Step 4
Enter the following information for the self-signed certificate:
Common Name
The fully qualified domain name.
Organization
The exact legal name of the organization.
Organizational Unit
Section of the organization.
City (Locality)
The city where the organization is legally located.
State (Province)
The state, county, or region where the organization is legally located.
Country
The two letter ISO abbreviation of the country where the organization is
legally located.
legally located.