Cisco Ironport SSL certificate update

Replacing SSL certificate on Ironport appliance can vary based on the model. In addition, once the certificate is installed you will need to make sure and update configuration everywhere it is applicable. Last time I’ve checked Cisco documentation was not very keen on it so when it came time to replace expiring certificates again I’ve gathered my old notes and decided to organize them in this post. The following process will help with SSL certificate installation/update on Cisco Ironport Email Security Appliance (ESA).

Components:
Cisco Ironport ESA: 9.1.0-032
Cisco Ironport MSA: 9.6.0-051

In most cases wildcard certificate is used for TLS/SSL services on ESA. Certificate file needs to be in a PKCS#12 format, be secured with password and contain the certificate and private key. If you do not have certificate and private key to import you will need to create the Certificate Signing Request (CSR):

  • Go to Network -> Certificates -> Add Certificate
  • Create a self-signed certificate
  • Submit
  • Commit the changes
  • Click on the newly created certificate profile
  • Click the “Download certificate signing request” link
  • Send the CSR that was downloaded to your Certificate Authority for signing

To install the signed certificate that you receive back:

  • Go to Network -> Certificates
  • Click on the name of your certificate
  • Click on the “Browse” button
  • Select the signed certificate
  • Upload Intermediate certificate (optional)
  • Submit this page
  • Commit the changes.

Once you have installed the signed certificate, you must reconfigure the TLS/SSL services on the appliance to use it.  The following instructions will cover all necessary configuration steps:

For Inbound TLS:

  • Go to Network > Listeners
  • Click on the name of your listener
  • Select the certificate in the “Certificate” drop down
  • Submit this page
  • Repeat above steps for any other listeners
  • Commit the changes

For Outbound TLS:

  • Go to Mail Policies > Destination Controls > Edit Global Settings
  • Select the certificate in the “Certificate” drop down
  • Submit this page
  • Commit the changes

For LDAPS:

  • Go to System Administration > LDAP > Edit Settings
  • Select the certificate in the “Certificate” drop down
  • Submit this page
  • Commit the changes

 For HTTPS:

  • Go to Network > IP Interfaces
  • Click on the name of your IP Interface
  • Select the certificate in the “HTTPS Certificate” drop down
  • Submit this page
  • Repeat above steps for any other applicable interfaces
  • Commit the changes

SSL certificate installation/update on Security Management Appliance (SMA) is a bit trickier. There is no way to generate a certificate on SMA but it can be imported through the command line. In order to do that first, we need extract certificate and private key information out of ESA config generated above (the same information can be exported from  PKCS#12 formatted file with OpenSSL or many other methods).

  • Download a copy of the configuration file from ESA appliance where the certificate was generated. Make sure not to mask passwords as it will hide private key info
  • Open the configuration file in a text based editor (NotePad++)
  • Copy certificate and private key. Private key will begin with —–BEGIN RSA PRIVATE KEY—– and end with —–END RSA PRIVATE KEY—– and certificate will begin with —–BEGIN CERTIFICATE—– and will end with —–END CERTIFICATE—–.

Next step is to import certificate and private key into SMA.

  • Log into the command line and issue the “certconfig” command.
  • Issue the “setup” command.
  • Select if you wish to use one certificate for all services.  It is recommended to select “y” here.
  • Copy the host certificate and paste it into the command line interface. Include —–BEGIN CERTIFICATE—–. End the paste with a single period (.) on a line by itself.
  • Copy the private key and paste it into the command line interface.  Include —–BEGIN RSA PRIVATE KEY—–. End the paste with a single period (.) on a line by itself.
  • Select “y” if you would like to add any intermediate certificates.
  • Copy the intermediate certificate(s) one at a time and paste them into the command line interface.  End the paste with a single period (.) on a line by itself.
  • Repeat the above two steps for any additional intermediate certificates needed.
  • Select “n” to let the appliance know that you have added all of the certificates.
  • Press the Enter key until you exit out of configuration menu.
  • Commit the changes.

SMA is now configured with a certificate.

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar