Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

IEA 2048 Bit Key Support for CSR on IEA Configuration Example

Available Languages

Download Options

  • PDF     (233.8 KB)
    View with Adobe Reader on a variety of devices
Updated:July 16, 2014
Document ID:117964

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes how to generate 2048 bit key support for Certificate Signing Request (CSR) on the Cisco IronPort Encryption Appliance (IEA).

Configure

Most of the Certificate Authorities (CAs) have stated an explicit request to have all CSRs generated with a key pair of length 2048 bit. By default, IEA Version 6.5 uses 1024 bit key length for key pair generation. In order to force the IEA to generate a key pair of length 2048, use the keytool command as described here.

Generate a Certificate

  1. Log in to the IEA CLI

  2. At the main menu, type x in order to drop into the shell.

  3. Change to the root user:
    $ su -


  4. Execute the keytool in order to create a new keystore:
        # /usr/local/postx/server/jre/bin/keytool -genkey -alias <server alias>
        -keyalg RSA -keysize 2048 -keystore <name the new keystore>     
            *alias should be what the server is known as externally when customers
             log into the device
            *When prompted for password use a easily remembered password
            *Enter in all requested information when prompted for the certificate
             request, make special note of the next question:
            --- What is your first and last name? 
            [Unknown]: server1.example.com 
                    *For this question enter in the fully qualified domain name
                     of the system
            *The name of the newkeystore should be in the format <name>.keystore
             where name should include the current date
                Example:  enterpriseks20130108.keystore




  5. Execute the keytool in order to create a CSR File:
    # /usr/local/postx/server/jre/bin/keytool -certreq -keyalg RSA -alias <server alias>
     -file <servername>.csr -keystore <name of the new keystore>




  6. Provide the CSR file to the Certificate Authority in order to generate a certificate. Ensure you submit it as an Apache Web Server Certficate Signing Request.
  7. After you receive the .cer file from the CA, proceed to the next steps.

Import a Certificate

Note: The password used when you generate the CSR must match the keystore password in order for these procedures to work.  If the CSR was created off-box, the password inputted must match the keystore password in order for these procedures to work.

You must chain the Certificate correctly

  1. Each CA Certificate must be extracted from the CER file received from the CA and then merged together in a text editor.

    Note: This is easiest done from a Microsoft Windows machine. Other operating systems work but are more difficult to extract.
        Certificates must be chained in this order:  1.Domain  2. Intermediate  3.Root



    1. Double-click in order to open the Certificate file (.CER file), and then click the Certification Path tab:



    2. Start with the mid-level of the Certification Path, click the Details tab, click Copy to File, and then name it 1.CER.

       

    3. Select Base-64 encoded X.509(.CER).



    4. Repeat for the Top Level CA, and name it 2.CER.

    5. Repeat for the server certificate, and name it 3.CER.

    6. Use a text editor (not notepad, but notepad++ works well) in order to open all three X.CER files and combine them in order (1 at the top, and 3 at the bottom):





      Note: There should be no empty lines between certificates and no empty line at the bottom.



    7. Save as <servername>.CER.

    8. Upload the <servername>.CER file to the IEA at /home/admin/<servername.cer>  with FTP or SCP.

    9. Copy /home/admin/<servername.cer> to /usr/local/postx/server/conf:





  2. Use the IEA GUI in order to import the certificate [Keys and Certificates | SSL Setup].

    Note: Keystore = [Install Directory]/conf/enterprisenamestore.keystore or the current name of your keystore file.

    Certificate = /usr/local/postx/server/conf/NEWCERT.CER.



    1. Check Trust CA Certs.

    2. Click Import Certificate





  3. (Optional -- If a new keystore must be created). From the IEA GUI, tell the IEA to use the new keystore:

    1. Choose Configuration | Web Server and Proxies | Web Server | Connection Listeners | HTTPS

    2. Type in the path to the new keystore file:

      Example:  ${postx.home}/conf/2013_5_13.keystore
             



  4. Deploy Changes and restart the SMTP Adapter.

Verify

There is currently no verification procedure available for this configuration.

Troubleshoot

There is currently no specific troubleshooting information available for this configuration.

Revision History

Revision Publish Date Comments
1.0
16-Jul-2014
Initial Release
TAC Authored

Contributed by Cisco Engineers

  • Kishore Yerramreddy
    Cisco TAC Engineer.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco