How to verify that the SSL certificate has been signed by the associated key on a Cisco Email Security Appliance?
Environment:Cisco Email Security Appliance (ESA), all versions of AsyncOS
This Knowledge Base article references software which is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, please contact the software vendor.
Installing SSL certificates is a pre-requisite to encrypting receiving/delivery via TLS, and LDAP secure access. Certificates are installed via CLI command 'certconfig'. The certificate/key pair that you intend to install must comprise of a key that has signed the certificate. Not complying with this will result in failure to install certificate/key pair.
The following steps help verify whether the certificate has been signed with the associated key. Assume that you have an private key in a file called 'server.key' and a certificate in 'server.cer'.
Make sure that the exponent fields of the certificate and key are the same. If this is not the case, then the key is not the signer. The following commands (run on any standard Unix machine with openssl) will help verify this.