Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

When an SSL session uses an RSA key, the key is protected by the HSM card. 
When an SSL session uses a DSA key, the key is not protected by the HSM card. 
The web interface and CLI prevent administrators from uploading certificates that 
use DSA keys. 

For error messages related to FIPS management, read the FIPS Logs at the INFO 
level.

If a cluster is started on a FIPS compliant appliance, only other FIPS compliant 
appliances can join the cluster. The 

fipsconfig

 CLI command and private keys 

are restricted to the machine level. The appliance that starts a cluster will not share 
its private keys at the cluster-level or group-level.

If you want the clustered appliances to use the same certificates and keys, you 
must clone a single master key among all the appliances and distribute the 
certificates and keys to them using the backup/restore function. For information 
on cloning a master key, see 

. For information on clustering, see 

AsyncOS allows you to encrypt SMTP conversations between listeners on the 
appliance and remote hosts by using a certificate and private key pair. You can 
upload an existing certificate and key pair, generate a self-signed certificate, or 
generate a Certificate Signing Request (CSR) to submit to a certificate authority 
to obtain a public certificate. The certificate authority will return a trusted public 
certificate signed by a private key that you can then upload onto the appliance.