Cisco Secure Email Cloud Gateway

If you have not done so, please be sure to read the following announcement:

Do I need a 3rd party signed certificate?

While it’s not a requirement as most SMTP MTAs will operate without issue utilizing a self-signed certificate, 3rd party certificate requirements and validation are becoming more commonplace and even best practice. So, it is generally a good idea to obtain a 3rd party signed certificate.

How do I install and set up a 3rd party signed certificate?

You have a few options in order to complete the installation and setup of a 3rd party signed certificate. To start, you could simply open a Cisco TAC case and we can create the certificate for you and provide you with any additional guidance; however, if you’re perhaps more familiar with the process and wish to utilize another certificate authority for signing, you can follow the steps here.

If you do choose to create your own certificate and get it signed by a 3rd party, you will want to follow the following requirements for selecting the common name during creation and when sending the CSR over to the authority.

  • Common Name (SAN - Option 1) [Datacenter/Region Specific]:
  • mx1.[allocation].iphmx.com
  • mx1.[allocation].c3s2.iphmx.com
  • mx1.[allocation].eu.iphmx.com
  • mx1.[allocation].ca.iphmx.com
  • mx1.[allocation].ap.iphmx.com


mx1 would be used for the common name, but all individual esa1/2/3/4/etc., mx1/mx2, and ob1 records must be included in SAN attributes when the request is provided to the CA.

  • Common Name (Wildcard - Option 2)[Datacenter/Region Specific]:
  • *.[allocation].iphmx.com
  • *.[allocation].c3s2.iphmx.com
  • *.[allocation].eu.iphmx.com
  • *.[allocation].ca.iphmx.com
  • *.[allocation].ap.iphmx.com

Of course, you can reach out to Cisco TAC at any time if you run into issues or questions.

Which 3rd party Certificate Authority (CA) does Cisco utilize to issue these certificates?

Currently, we use HydrantID SSL CA G3 as the Intermediate and primary issuer for any CES server certificates, and HydrantID SSL CA G3 is signed and issued by QuoVadis Root CA 2.

How much does the 3rd Party Signed certificate cost?

At this time, the certificate that we provide issued by HydrantID SSL CA G3 is free of charge and included in your CES purchase. If you wish to utilize your own CA then you will be responsible for the cost, and the price will vary depending on the type of certificate requested.

Where should my CA send the Domain Authorization Letter (DAL)?

The CA can send the DAL to any of the email addresses below:

Did this page help you?