We have an Ironport S160 running version 7.5.1-201 for Web
Today, I used the certconfig CLI to install a custom signed certificate for the management https interface, but the ironport is still using the demo certificate, even after I rebooted the appliance.
I also downloaded a certificate request from the https proxy settings and signed it using my root CA, but I am still getting the old self signed CA when I visit https websites - this also persists after the appliance reboot.
The new CA shows up in the https proxy settings, and I also imported my root CA for good measure.
I added the management certificate using certconfig, yes - but that suddenly started working on its own, as I commented earlier.. My issue is now the CA certificate used for resigning decrypted https sites.
Which self signed cert are you referring to? Are you referring to the Ironport Demo certificate? If you are seeing that certificate when surfing the internet, it sounds like you have credential encryption enabled. You will need to upload the new one in the GUI under Network > Authentication.
My current issue is with ironports CA, used for creating new certificates when it decrypts https web sites.
I downloaded a CSR from the https proxy page, signed it using my AD root CA, then imported the resulting certificate into ironport. But the web sites I visit still get signed by the self signed "Hapro" certificate I created december of last year.
My current hypothesis is that ironport is storing generated certificates, and will not regenerate them until the signatory certificate expires, in december.
The generate CSR feature is new and honestly, I have not seen it be used. You may need to remove the self generated certificate by editing the configuration XML file. I'd recommend you open up a TAC case on it for a possible bug.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :