Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
2-53
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Chapter 2 Customizing Listeners
Obtaining Certificates
To use TLS, the IronPort appliance must have an X.509 certificate and matching
private key for receiving and delivery. You may use the same certificate for both
SMTP receiving and delivery and different certificates for HTTPS services on an
interface, the LDAP interface, and all outgoing TLS connections to destination
domains, or use one certificate for all of them.
private key for receiving and delivery. You may use the same certificate for both
SMTP receiving and delivery and different certificates for HTTPS services on an
interface, the LDAP interface, and all outgoing TLS connections to destination
domains, or use one certificate for all of them.
You may purchase certificates and private keys from a recognized certificate
authority service. A certificate authority is a third-party organization or company
that issues digital certificates used to verify identity and distributes public keys.
This provides an additional level of assurance that the certificate is issued by a
valid and trusted identity. IronPort does not recommend one service over another.
authority service. A certificate authority is a third-party organization or company
that issues digital certificates used to verify identity and distributes public keys.
This provides an additional level of assurance that the certificate is issued by a
valid and trusted identity. IronPort does not recommend one service over another.
The Cisco IronPort appliance can create a self-signed certificate for your own use
and generate a Certificate Signing Request (CSR) to submit to a certificate
authority to obtain the public certificate. The certificate authority will return a
trusted public certificate signed by a private key. Use the Network > Certicates
page in the GUI or the
and generate a Certificate Signing Request (CSR) to submit to a certificate
authority to obtain the public certificate. The certificate authority will return a
trusted public certificate signed by a private key. Use the Network > Certicates
page in the GUI or the
certconfig
command in the CLI to create the self-signed
certificate, generate the CSR, and install the trusted public certificate.
If you are acquiring or creating a certificate for the first time, search the Internet
for “certificate authority services SSL Server Certificates,” and choose the service
that best meets the needs of your organization. Follow the service’s instructions
for obtaining a certificate.
for “certificate authority services SSL Server Certificates,” and choose the service
that best meets the needs of your organization. Follow the service’s instructions
for obtaining a certificate.
You can view the entire list of certificates on the Network > Certificates page in
the GUI and in the CLI by using the
the GUI and in the CLI by using the
print
command after you configure the
certificates using
certconfig
. Note that the
print
command does not display
intermediate certificates.
Note
On Email Security appliances with FIPS-compliant HSM cards, AsyncOS
restricts the Network > Certicates page and the
restricts the Network > Certicates page and the
certconfig
CLI command from
generating and importing certificate and key pairs. The FIPS Officer can generate
the certificate and key pairs using the FIPS Mode > Certificates and Keys page
and
the certificate and key pairs using the FIPS Mode > Certificates and Keys page
and
fipsconfig > certconfig
CLI command.