If you have not done so, please be sure to read the following announcement:
Cisco Secure Email Informational Announcement - Certificates
Cisco provides the option for 3rd party signed certificates to all of our Cisco Secure Email Cloud Gateway customers.
Cisco offers to provide 3rd party signed certificates for Cisco Secure Email Cloud Gateway customers. Please see the FAQ below for "Which 3rd party Certificate Authority (CA) does Cisco utilize to issue these certificates?" and "How much does the 3rd Party Signed certificate cost?" for additional information.
Beginning in December of 2021, Cisco will automatically be renewing 3rd Party Signed certificates provided by Cisco as they approach expiration.
As a part of the service, Cisco permits customers to bring their own 3rd party signed certificates. Cisco will not automatically renew 3rd party signed certificates provided by customers but will proactively open a TAC support request (SR) on behalf of the customer using the contact information we have on file. To ensure timely contact with the correct individuals, it is imperative the contact information within the Cisco Secure Email Cloud Gateway systems is up to date. For assistance updating contact information for Cisco Secure Email Cloud Gateway, please engage our Technical Assistance Center (TAC) and request to update your contact information instance.
At this time, the certificate that we provide issued by HydrantID SSL CA G3 is free of charge and included in your CES purchase. If you wish to utilize your own CA then you will be responsible for the cost, and the price will vary depending on the type of certificate requested.
While it’s not a requirement as most SMTP MTAs will operate without issue utilizing a self-signed certificate, 3rd party certificate requirements and validation are becoming more commonplace and even best practice. So, it is generally a good idea to obtain a 3rd party signed certificate.
You have a few options in order to complete the installation and setup of a 3rd party signed certificate. To start, you could simply open a Cisco TAC case and we can create the certificate for you and provide you with any additional guidance; however, if you’re perhaps more familiar with the process and wish to utilize another certificate authority for signing, you can follow the steps here.
If you do choose to create your own certificate and get it signed by a 3rd party, you will want to follow the following requirements for selecting the common name during creation and when sending the CSR over to the authority.
- Common Name (SAN - Option 1) [Datacenter/Region Specific]:
mx1 would be used for the common name, but all individual esa1/2/3/4/etc., mx1/mx2, and ob1 records must be included in SAN attributes when the request is provided to the CA.
- Common Name (Wildcard - Option 2)[Datacenter/Region Specific]:
Of course, you can reach out to Cisco TAC at any time if you run into issues or questions.
The CA can send the DAL to any of the email addresses below:
Updated about 1 month ago