Adding an existing certificate to an ESA

Answered Question
Jan 20th, 2012
User Badges:

Hi all,


I have a problem.  We bought two certificates from Verisign for our two ESAs, but when I clustered the ESAs one of the certificates was wiped out.  Verisign provides the certificate in either a PKCS #7 or X.509 format.  In order to add it back to the ESA, I need to convert it to PKCS #12, or use certconfig.  But how am I supposed to get the private key??? 


Do I need to just create a new CSR and have Verisign reissue the certificate?


Any help I can get would be appreciated. 


Thanks,

- Steve

Correct Answer by Jeronimo Orona about 5 years 6 months ago

Hello Steve,


The ESA certificate process that you will need to follow depends on how your CSR was generated.


-If you did not generate the CSR on the IronPort appliance, you will need to ask your CA for a PKCS#12 formatted certificate. The PKCS #12 format is the only file format that can be used to  export a certificate and its private key(pulled from the CSR you provided to your CA). This file can then be imported via the IronPort 'Certificates' GUI page.

(GUI: Network>Certificates>Add Certificate>Import Certificate).


-If you used the IronPort's CSR generation process, the private key remains on the IronPort. Ask your CA for an X.509(PEM) formatted certificate and import that, via the IronPort page of the previously generated CSR/certificate.

(GUI: Network>Certificates>click on certificate name you chose when CSR was generated>

Upload Signed Certificate).

You also add any Intermediate Certificate your CA provide, on the same page.


If you are not sure who generated the CSR, you should indeed issue a new CSR and send that to your CA. The following Knowledge Article documents the complete process.


http://tinyurl.com/32wdqe4



Regards,


-Jerry Orona

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jeronimo Orona Tue, 01/24/2012 - 16:29
User Badges:

Hello Steve,


The ESA certificate process that you will need to follow depends on how your CSR was generated.


-If you did not generate the CSR on the IronPort appliance, you will need to ask your CA for a PKCS#12 formatted certificate. The PKCS #12 format is the only file format that can be used to  export a certificate and its private key(pulled from the CSR you provided to your CA). This file can then be imported via the IronPort 'Certificates' GUI page.

(GUI: Network>Certificates>Add Certificate>Import Certificate).


-If you used the IronPort's CSR generation process, the private key remains on the IronPort. Ask your CA for an X.509(PEM) formatted certificate and import that, via the IronPort page of the previously generated CSR/certificate.

(GUI: Network>Certificates>click on certificate name you chose when CSR was generated>

Upload Signed Certificate).

You also add any Intermediate Certificate your CA provide, on the same page.


If you are not sure who generated the CSR, you should indeed issue a new CSR and send that to your CA. The following Knowledge Article documents the complete process.


http://tinyurl.com/32wdqe4



Regards,


-Jerry Orona

RSteveKadish Wed, 01/25/2012 - 06:56
User Badges:

Hi Jerry,


Thanks very much for replying.  The CSR were generated using the IronPort.  The difficulty lay in the fact that the certficate was overwritten when I clustered the appliances.  Therefore the option to upload the signed certificate wasn't available. 


I've already had new certificates issued by Verisign to resolve the problem.


Thanks,

- Steve

Actions

This Discussion