Cisco Cisco Email Security Appliance C170 Guia Do Utilizador
25-4
User Guide for AsyncOS 10.0 for Cisco Email Security Appliances
Chapter 25 Encrypting Communication with Other MTAs
Working with Certificates
Certificates and Centralized Management
A certificate usually uses the local machine’s hostname for the certificate’s common name. If your Email
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.
Security appliances are part of a cluster, you will need to import a certificate for each cluster member as
the machine level, with the exception of a wild card certificate that you can install at the cluster level.
Each cluster member’s certificate must use the same certificate name so the cluster can refer to it when
a member’s listener is communicating with another machine.
Intermediate Certificates
In addition to root certificate verification, AsyncOS supports the use of intermediate certificate
verification. Intermediate certificates are certificates issued by a trusted root certificate authority which
are then used to create additional certificates - effectively creating a chained line of trust. For example,
a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a
trusted root certificate authority. The certificate issued by godaddy.com must be validated against
godaddy.com’s private key as well as the trusted root certificate authority’s private key.
verification. Intermediate certificates are certificates issued by a trusted root certificate authority which
are then used to create additional certificates - effectively creating a chained line of trust. For example,
a certificate may be issued by godaddy.com who, in turn, is granted the rights to issue certificates by a
trusted root certificate authority. The certificate issued by godaddy.com must be validated against
godaddy.com’s private key as well as the trusted root certificate authority’s private key.
Creating a Self-Signed Certificate
You might want to create a self-signed certificate on the appliance for any of the following reasons:
•
To encrypt SMTP conversations with other MTAs using TLS (both inbound and outbound
conversations).
conversations).
•
To enable the HTTPS service on the appliance for accessing the GUI using HTTPS.
•
Use as a client certificate for LDAPS if the LDAP server asks for a client certificate.
•
To allow secure communication between the appliance and RSA Enterprise Manager for DLP.
•
To allow secure communication between the appliance and a Cisco AMP Threat Grid Appliance.
•
To allow secure communication between the appliance and a Cisco AMP Threat Grid Appliance.
To create a self-signed certificate using the CLI, use the
certconfig
command.
Procedure
Step 1
Select Network > Certificates.
Step 5
Generate and export a self-signed
certificate from the other machine.
certificate from the other machine.
See the documentation for the other machine.
Step 6
Import the self-signed certificate
from the other machine into the
Email Security appliance.
from the other machine into the
Email Security appliance.
or
See the chapter in this guide for configuring communication with
that machine.
that machine.
For example, to configure secure communications with a
Cisco AMP Threat Grid Appliance, see instructions for
configuring Advanced settings in
Cisco AMP Threat Grid Appliance, see instructions for
configuring Advanced settings in
Do This
More Info