Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

3rd party cert on ironport

Is it better to run your internal root cert on the ironport or can I place a 3rd party (verisign, godaddy) cert on ironport? If it is better to use a 3rd party cert, how do i create the CSR (certificate signing request) on ironport?

Everyone's tags (3)

Re: 3rd party cert on ironport


I suspect that a 3rd party cert is technically better, you're not exposing your internal root to accidental mishandling...  but its nice, since 1, you have it already, 2 (assuming an AD integrated Enterprise Root) your workstations already trust it.

The Ironport won't create a key request.

Get OpenSSL, and use that to do the following:

     generate a private key          'openssl genrsa -out privkey.pem 2048

     generate a cert request        'openssl req -new -key privkey.pem -out cert.csr'

     If you have to decrypt your private key       'openssl rsa - in privkey.pem -out deckey.key

Upload the request to the SSL vendor, get your cert

Then upload the decrypted key and cert to the WSA.


New Member

3rd party cert on ironport

So what if i would like to use our internal root cert. I still need to create a cert for ironport right? then upload our root cert correct? that would complete the cert chain.

Re: 3rd party cert on ironport

If you put your internal root and key on the ironport, you don't HAVE to create a cert for the ironport.

If you do issue a cert for the ironport, you'll upload the cert, the key, and the intermediate chain as a trusted root.

New Member

3rd party cert on ironport

Do i place the enterprise root under the "HTTPS Proxy Settings" page or under the "Custom Root Authority Certificates" page? Both pages are located under Security Services->Https Proxy.

3rd party cert on ironport

If you're using it as the only cert, then put it in the Edit HTTPS Proxy Settings page, just below where you tell it to generate a selfsigned cert. 

If you generated one off of your cert authority, you'd put the root cert chain in the Custom Root Authority Certificates. (I think...)

Hmm... I may have exported the cert with all of the certs in cert path and uploaded that.

CreatePlease to create content