Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

Can we use SAN certificate for a cluster of Ironport ESAs?

We have 6 C670 appliances all connected in cluster. As of now, we have installed individual SSL certificates installed on each appliance. We are contemplating on the idea of going for one SAN certificate instead of inidivdual certificate. Can this be done? How can we configure each IronPort to refer to one certificate?

Everyone's tags (2)
3 REPLIES

Can we use SAN certificate for a cluster of Ironport ESAs?

You can use a SAN cert.  You have to install it on each box.  (which means you need the private key too...)

Check with your cert provider on the license for that cert.  Some of them limit the number of machines you can install the cert on.

Can we use SAN certificate for a cluster of Ironport ESAs?

Thanks Ken. But wouldn't that carry the same hostname for all the appliances then? I'm not well informed about how SAN certificate works, but, do we need to create individual CSR files from each appliance to obtain one SAN cert and then install that one SAN cert for each certificate profile?

Can we use SAN certificate for a cluster of Ironport ESAs?

No, as that's the point of a SAN cert (SAN stands for "Subject Alternative Name")  The SAN cert can have many different names, and they don't have to be related.  Its sort of like a wildcard cert (eg. *.domain.com), but instead of everything having to end in "domain.com", it can have any name you want... so you can have "box1.domain1.com" "box2.domain2.com", etc...

No, you don't generate the CSR on each box... I do it once on a Windows box, export the cert and private key, split into its pieces using OpenSSL and upload it to as many boxes as I need to...   I use one wildcard cert since I use one mail handler on one domain for all of my domains...

Ken

620
Views
0
Helpful
3
Replies