Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

How to check the status of TLS cert?

Hi all,
Except export (or copy) the cert from the configuration file, and view using openssl, is there anyway / tools to allow me check the TLS / SSL cert is being used?
As beside checking the cert is using by my IronPort, i would like to check the cert using by my partner as well (although i can configure IronPort to accept trust cert only, i still wanna verify it)

Thanks for advise.

New Member

Re: How to check the status of TLS cert?

You don't need to copy the cert out of your configuration. OpenSSL has an "s_client" subcommand which can open an SSL connection and verify the cert for you. It even knows how to do STARTTLS. Something like this ought to do it:

openssl s_client -starttls smtp -CAfile /path/to/ca/file -connect your.ironport:25

The /path/to/ca/file is necessary to provide openssl with a cache of root CA certs. You could use -CApath instead of -CAfile if you have a hashed directory of root CA certs instead of a single file containing them all.

You can also point this at your partner's SMTP server as well.