Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Change central spam quarantine cert?

   We have an internal certificate that I would like to assign to the Central Spam Quarantine on our M670 so that users don't get the self-signed cert error. I don't see anything in the documentation about this, does anyone have any pointers as to how this is done and potential pitfalls? Thanks.

5 REPLIES
Cisco Employee

Change central spam quarantine cert?

Had this question the other week here in the forums --- take a look at the instruction set in the following:

https://supportforums.cisco.com/message/4088392#4088392

-Robert

New Member

Change central spam quarantine cert?

Robert,

   Thanks, but this appears to apply to an ESA, and we're running the Centralized Spam Quarantine on the M670. There's no option in the GUI on the M670 regarding certificates that I could find... ?

Cisco Employee

Change central spam quarantine cert?

That post does apply to the SMA.

Correct - there is not a GUI option on the SMA.  You will need to run the 'certconfig' command on the CLI, and import the certficate --- either one you have, or once you receive this back from the CA.

http://tools.cisco.com/squish/9b9c9

How do I install certificates on an Cisco Content Security Management Appliance (SMA)?

Prerequisites:

You must have the following items available in PEM format:

  • X.509 certificate
  • Private key that matches your certificate
  • Any intermediate certificates provided by your Certificate Authority

Certificates can be used for 4 different services:

  • Inbound TLS
  • Outbound TLS
  • HTTPS
  • LDAPS

You can choose to either use the same certificate for all 4 services or use separate certificates for each.

Installing the Certificates:

To begin, you will first need to access your IronPort via the Command Line Interface. This can be done either
via telnet or an SSH client such as PuTTY.

Once logged into the CLI, please use the following steps:

  • Issue the command 'certconfig'
  • Issue the command 'setup'
  • Choose whether to use the same certificate for all features or separate certificates
  • When prompted paste each item into the CLI window
  • Enter a '.' on it's own line to indicate that you are done pasting the current item (see example below)
  • Be sure to enter any intermediate certificates when prompted to do so
  • When you are done, return to the main prompt by hitting enter
  • Issue the 'commit' command

Notes:

  • When performing a certificate install on Microsoft Windows you may need to open your certificates with Wordpad instead of Notepad.
  • Do not exit the certconfig command with Ctrl+C since this will immediately cancel your changes.

Example:

sma.example.com> certconfig

Currently using one certificate/key for receiving, delivery, HTTPS management access, and LDAPS.

Choose the operation you want to perform:
      - SETUP - Configure security certificates and keys.
      - PRINT - Display configured certificates/keys.
      - CLEAR - Clear configured certificates/keys.
[]> setup

Do you want to use one certificate/key for receiving, delivery, HTTPS management access, and LDAPS? [Y]>

paste cert in PEM format (end with '.'):
-----BEGIN CERTIFICATE-----
MIIDmTCCAwKgAwIBAgIJAP3xcsDFYVsFMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UE
ChMZSXJvblBvcnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJv
blBvcnQxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tMB4XDTA5
MTAwMjE5NDkxOVoXDTEwMTAwMjE5NDkxOVowgZAxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTESMBAGA1UEBxMJU2FuIEJydW5vMSIwIAYDVQQKExlJcm9uUG9ydCBD
dXN0b21lciBTZXJ2aWNlMRcwFQYDVQQDEw5DaXNjbyBJcm9uUG9ydDEjMCEGCSqG
SIb3DQEJARYUc3VwcG9ydEBpcm9ucG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMHw08rHx1a2NeJpwzTeVQH09g77zQelp6vrcVxijhOH4+k3LrfD
wd+g94X+T6/ZJ/pJNgkjrncEw0I96yvlCwpAeReaWX4rLCyMyU/BGdKfCVNPWK/b
oNioS91ADh1L+XRyPeBG1YIM+EEK5wuQzOP8NQH3uf7jq1aigsOgV9sHAgMBAAGj
gfgwgfUwHQYDVR0OBBYEFEYsbf9JvO+AvNalXiORrA3x4D8VMIHFBgNVHSMEgb0w
gbqAFEYsbf9JvO+AvNalXiORrA3x4D8VoYGWpIGTMIGQMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UEChMZSXJvblBv
cnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJvblBvcnQxIzAh
BgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tggkA/fFywMVhWwUwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCKcMkd1+SMIGs9JcN1IT/o1Qan
9zd5BkrRAVKq47pJnHbkFpDnGoHGEo2hRhXYXfrCFwpOkkd2b/iRl54ghcK6xwnH
tF3tvznyBIWBUvt+vPIqHfNlmTCdIVhawz6YVs+0YAQanxObdbCM0T6tI3CaAjul
0oL+HfZjR4m900PG8A==
-----END CERTIFICATE-----
.
cert = -----BEGIN CERTIFICATE-----
MIIDmTCCAwKgAwIBAgIJAP3xcsDFYVsFMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYD
VQQGEwJVUzELMAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UE
ChMZSXJvblBvcnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJv
blBvcnQxIzAhBgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tMB4XDTA5
MTAwMjE5NDkxOVoXDTEwMTAwMjE5NDkxOVowgZAxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTESMBAGA1UEBxMJU2FuIEJydW5vMSIwIAYDVQQKExlJcm9uUG9ydCBD
dXN0b21lciBTZXJ2aWNlMRcwFQYDVQQDEw5DaXNjbyBJcm9uUG9ydDEjMCEGCSqG
SIb3DQEJARYUc3VwcG9ydEBpcm9ucG9ydC5jb20wgZ8wDQYJKoZIhvcNAQEBBQAD
gY0AMIGJAoGBAMHw08rHx1a2NeJpwzTeVQH09g77zQelp6vrcVxijhOH4+k3LrfD
wd+g94X+T6/ZJ/pJNgkjrncEw0I96yvlCwpAeReaWX4rLCyMyU/BGdKfCVNPWK/b
oNioS91ADh1L+XRyPeBG1YIM+EEK5wuQzOP8NQH3uf7jq1aigsOgV9sHAgMBAAGj
gfgwgfUwHQYDVR0OBBYEFEYsbf9JvO+AvNalXiORrA3x4D8VMIHFBgNVHSMEgb0w
gbqAFEYsbf9JvO+AvNalXiORrA3x4D8VoYGWpIGTMIGQMQswCQYDVQQGEwJVUzEL
MAkGA1UECBMCQ0ExEjAQBgNVBAcTCVNhbiBCcnVubzEiMCAGA1UEChMZSXJvblBv
cnQgQ3VzdG9tZXIgU2VydmljZTEXMBUGA1UEAxMOQ2lzY28gSXJvblBvcnQxIzAh
BgkqhkiG9w0BCQEWFHN1cHBvcnRAaXJvbnBvcnQuY29tggkA/fFywMVhWwUwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCKcMkd1+SMIGs9JcN1IT/o1Qan
9zd5BkrRAVKq47pJnHbkFpDnGoHGEo2hRhXYXfrCFwpOkkd2b/iRl54ghcK6xwnH
tF3tvznyBIWBUvt+vPIqHfNlmTCdIVhawz6YVs+0YAQanxObdbCM0T6tI3CaAjul
0oL+HfZjR4m900PG8A==
-----END CERTIFICATE-----
paste key in PEM format (end with '.'):
-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDB8NPKx8dWtjXiacM03lUB9PYO+80Hpaer63FcYo4Th+PpNy63
w8HfoPeF/k+v2Sf6STYJI653BMNCPesr5QsKQHkXmll+KywsjMlPwRnSnwlTT1iv
26DYqEvdQA4dS/l0cj3gRtWCDPhBCucLkMzj/DUB97n+46tWooLDoFfbBwIDAQAB
AoGAM/hvKNXkSw5E3kltMAusR/v2vAkp5jSz+9P56sHWRNGTd3l8IW5p05109wkx
HXRZzC42NrjDFc3G7Udeb8LO9BbVicBzXVW1CRIrfxGr7d/ekkghyN1nBiAbUCaf
6jUGNItT1ACRdV++aNzESO6JdGBirW/pw0neMgmtRuf0rIECQQDnX/9zUxZuswJN
0hvEzaVAx2pkpJ6v3us8bG7o5Ce3vDWR9ja3TUH6faOw2azfLv0ND1sLj6USx2j5
rC8Kj2HhAkEA1pTm+FVbY3YQOSBol1o0831SvCxA/r7fhxTdxHXzhkw1NC3mbZrh
ZGATaGETM9doyatESVLbcHxu/OYU7nmp5wJBAMbT6fMyjW5nii1RxuciSUYXl8gQ
5wT/LWrpS436sl7j760UxgRS8cXOPeJ1zGamPHMCpRyUPiibEAyt+Ga8vEECQQC8
9gMvTHtd6un+ZHu2TMm0YfgpnQ7fRlaxLb7c8sGw0gtIF+ODQZCaQ8DTeijeziKI
9Tj9GOoE9I8IRdTI7HqhAkEAnXk9GOp201cPK8E7SDgseuSdxuziQH4Tl595wXQX
CbCI1aqiMwrg5b/B1ZfISxyD1Vth6BARQuuqYvdnstlSkQ==
-----END RSA PRIVATE KEY-----
.
key = -----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQDB8NPKx8dWtjXiacM03lUB9PYO+80Hpaer63FcYo4Th+PpNy63
w8HfoPeF/k+v2Sf6STYJI653BMNCPesr5QsKQHkXmll+KywsjMlPwRnSnwlTT1iv
26DYqEvdQA4dS/l0cj3gRtWCDPhBCucLkMzj/DUB97n+46tWooLDoFfbBwIDAQAB
AoGAM/hvKNXkSw5E3kltMAusR/v2vAkp5jSz+9P56sHWRNGTd3l8IW5p05109wkx
HXRZzC42NrjDFc3G7Udeb8LO9BbVicBzXVW1CRIrfxGr7d/ekkghyN1nBiAbUCaf
6jUGNItT1ACRdV++aNzESO6JdGBirW/pw0neMgmtRuf0rIECQQDnX/9zUxZuswJN
0hvEzaVAx2pkpJ6v3us8bG7o5Ce3vDWR9ja3TUH6faOw2azfLv0ND1sLj6USx2j5
rC8Kj2HhAkEA1pTm+FVbY3YQOSBol1o0831SvCxA/r7fhxTdxHXzhkw1NC3mbZrh
ZGATaGETM9doyatESVLbcHxu/OYU7nmp5wJBAMbT6fMyjW5nii1RxuciSUYXl8gQ
5wT/LWrpS436sl7j760UxgRS8cXOPeJ1zGamPHMCpRyUPiibEAyt+Ga8vEECQQC8
9gMvTHtd6un+ZHu2TMm0YfgpnQ7fRlaxLb7c8sGw0gtIF+ODQZCaQ8DTeijeziKI
9Tj9GOoE9I8IRdTI7HqhAkEAnXk9GOp201cPK8E7SDgseuSdxuziQH4Tl595wXQX
CbCI1aqiMwrg5b/B1ZfISxyD1Vth6BARQuuqYvdnstlSkQ==
-----END RSA PRIVATE KEY-----

Do you want to add an intermediate certificate? [N]> n

Currently using one certificate/key for receiving, delivery, HTTPS management access, and LDAPS.

Choose the operation you want to perform:
      - SETUP - Configure security certificates and keys.
      - PRINT - Display configured certificates/keys.
      - CLEAR - Clear configured certificates/keys.
[]>
sma.example.com> commit

Please enter some comments describing your changes:
[]> Installed Certificate

Changes committed: Fri Oct 02 12:50:47 2009 MST
sma.example.com>

Hope that helps, is a little more clear...

-Robert

New Member

Change central spam quarantine cert?

OK, so as far as pitfalls go, if I somehow do this incorrectly the worst that will happen is that we'll continue to receive the Invalid Certificate warning when accessing the quaratine, is that correct? Just trying to gauge my risk here. Thanks again for your help.

Cisco Employee

Change central spam quarantine cert?

Correct.  If you have a valid cert - and apply - this should alleviate the invalid cert warnings.  As long as the cert is tied properly to the host - you should be set.  If not - you'll need to get the self-signed cert, or CA approved cert to match.

Hope this helps!

-Robert

(If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

361
Views
0
Helpful
5
Replies
CreatePlease to create content