assign new SSL cert on Cisco IronPort ESA

Issue: After completing the steps to install a new SSL certificate on your Cisco IronPort ESA you need to assign the certificate to the various Cisco IronPort functions that require encryption (email communications, TLS, Quarantine and admin web pages).

Activating the new SSL Certificate:

  • To assign the new certificate for inbound SMTP email communication, open Network > Listeners and select the new certificate

Ironport Listener Settings

  • Assign the certificate for use in Outbound TLS based email communications:

    Mail Policies > Destination Controls > Global Settings > Edit Global Settings > click the Certificate drop down and select your new Certificate.
    edit-destination-controls-global-certificate

     

Note: Specifying a certificate under destination controls tells the IronPort ESA which cert to use *if* TLS is enabled on outbound communications.  In other words, specifying the cert in the drop down will not actually enable TLS on the IronPort.  Follow these steps to enable TLS on the IronPort ESA.

Next: assign your new certificate to the Cisco IronPort ESA quarantine and admin web pages

Related

7 thoughts on “assign new SSL cert on Cisco IronPort ESA

  1. mark

    Is it possible to have two different inbound SSL/Cipher settings for TLS? One one hand, I need to disable TLSv1 for a particular inbound domain of ours. However, disabling TLSv1 globally seems to result in a lot of errors that say “454 TLS not available due to a temporary reason”

    Reply
    1. Chris Harris Post author

      Hi Mark, I haven’t attempted this myself. It may be worth taking up with support. Please do post the solution if your figure it out. Sorry I don’t have an answer on this.

      Reply
  2. Ionut

    Hi there! I have a problem authenticating on the ESA appliance with the domain username. It is weird as the other ESA can authenticate over LDAP very fine. They both are in a cluster and ldap configuration is done over there.
    Can you tell me possible reasons for NOT authenticating me on the esa2 but just fine on esa1? From cli i can ping the ldap server just fine…

    Reply
  3. Francis

    “I can show you where to set the Cisco ESA certs for web administration and quarantine.”

    Is this done with the CLI? I already have a wildcard cert installed on the IronPort but I don’t see anywhere in the GUI (version 8.3.6) where to apply it to HTTPS (or Spam Quarantine)

    Thanks!

    Reply
  4. Khaim

    You do not specify how to apply the cert for the Quarantine web interface for users. Or does setting the Secure Connection to SSL automatically use the installed SSL cert?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.