Cisco Cisco Email Security Appliance X1070 故障排查指南

Contributed by Donny Lee, Cisco TAC Engineer.
Jun 25, 2014

Introduction
Prerequisites
     Requirements
Problem
Workaround

This document describes how to add/import new Public Key Cryptography Standards (PKCS) #12 certificates
on the Cisco Email Security Appliance (ESA) GUI.

Cisco recommends that you have knowledge of these topics:

Cisco ESA

• 

AsyncOS 7.1 and later

• 

Since AsyncOS 7.1.0. and later, it is possible to manage/add certificates in the GUI of the email appliances.
However, for this the new certificate, it has to be in PKCS#12 format, so this requirement adds some extra
steps after receiving the Certificate Authority (CA) certificate.

Generating a PKCS#12 certificate also requires the Private Key Certificate. If you run the Certificate Signing
Request (CSR) from Cisco ESA CLI command certconfig, you will not receive the Private Key
Certificate. The Private Key Certificate created in the GUI menu (Mail Policies > Signing Keys) will not be
valid when you use it to generate a PKCS#12 certificate together with CA certificate.

Install OpenSSL application if your workstation does not have it. The Windows version can be
downloaded from here.

Ensure that Visual C++ 2008 Redistributables is installed before the OpenSSL Win32.

1. 

Use a template to create a script to generate CSR and Private Key in here.

The script will look like this:

2.