Cisco Support Community
Community Member

TLS setup questions


I have a pair of C170's in a cluster, and need to implement TLS for outbound connections to a set of domains.

Currently the appliances have hostnames of and, externally they are referenced as and (these are the MX records).

My questions are these:

Do I need to get individual certificates for each C170, or do I install the same cert on both?

Do I need to change the names (either the host names, or external DNS names) to match?

Is there a way to make a destination control a group, instead of individual domains?



Everyone's tags (2)

TLS setup questions

You could use the same cert on both, but you'll want it to match names, so a SAN/UC or a wildcard cert would work... I was unable to puzzle out the RFC enough to be sure if a wildcard cert would be allowed, so I just tried it, and it worked.  You'll want the cert to match the name of the box its on as some people you send mail to will want the cert to be valid.  In that sense its not all that different than a cert on a web server...

I'm not sure about the destination controls... It doesn't look like you can build groups there...


Community Member

TLS setup questions

I am curious how you used a wildcard.

What cert name does the cluster use?

Does each individual appliance get it's own name (I would think they would have to so they would match the hostname of incoming connections).

I went down the road of getting individual certs for my two appliances, and they work for the HTTPS part (no longer get cert errors when connecting to the GUI), but when I try to use them for listener setup, I am not sure what to do, as it wants to override the cluster config.

I have the feeling I want to override the cluster settings, and copy from the cluster to edit them.

TLS setup questions

I don't have a cluster, so I'm not versed on what issue(s) you're having...

I used the wildcard just like any other cert that I would be issued, as far as uploading it... I only applied the cert to the external listener, which has  Since the cert is good for *, it works fine.

CreatePlease to create content