Certificates

Cisco Secure Email Cloud Gateway

🚧

If you have not done so, please be sure to read the following announcement:
Cisco Secure Email Informational Announcement - Certificates

Certificates

Cisco provides the option for 3rd party signed certificates to all of our Cisco Secure Email Cloud Gateway customers.

Cisco Provided 3rd Party Signed Certificate

Cisco offers to provide 3rd party signed certificates for Cisco Secure Email Cloud Gateway customers. Please see the FAQ below for "Which 3rd party Certificate Authority (CA) does Cisco utilize to issue these certificates?" and "How much does the 3rd Party Signed certificate cost?" for additional information.

📘

Beginning in December of 2021, Cisco will automatically be renewing 3rd Party Signed certificates provided by Cisco as they approach expiration.

Customer Provided 3rd Party Signed Certificates

As a part of the service, Cisco permits customers to bring their own 3rd party signed certificates. Cisco will not automatically renew 3rd party signed certificates provided by customers but will proactively open a TAC support request (SR) on behalf of the customer using the contact information we have on file. To ensure timely contact with the correct individuals, it is imperative the contact information within the Cisco Secure Email Cloud Gateway systems is up to date. For assistance updating contact information for Cisco Secure Email Cloud Gateway, please engage our Technical Assistance Center (TAC) and request to update your contact information instance.

You can open an SR with the Cisco Support Case Manager or view the Cisco Support page for more options and how-to Contact TAC by Phone.

FAQ

Which 3rd party Certificate Authority (CA) does Cisco utilize to issue these certificates?

Currently, we use HydrantID SSL CA G3 as the Intermediate and primary issuer for any CES server certificates, and HydrantID SSL CA G3 is signed and issued by QuoVadis Root CA 2.

How much does the 3rd Party Signed certificate cost?

At this time, the certificate that we provide issued by HydrantID SSL CA G3 is free of charge and included in your CES purchase. If you wish to utilize your own CA then you will be responsible for the cost, and the price will vary depending on the type of certificate requested.

Do I need a 3rd party signed certificate?

While it’s not a requirement as most SMTP MTAs will operate without issue utilizing a self-signed certificate, 3rd party certificate requirements and validation are becoming more commonplace and even best practice. So, it is generally a good idea to obtain a 3rd party signed certificate.

How do I install and set up a 3rd party signed certificate?

You have a few options in order to complete the installation and setup of a 3rd party signed certificate. To start, you could simply open a Cisco TAC case and we can create the certificate for you and provide you with any additional guidance; however, if you’re perhaps more familiar with the process and wish to utilize another certificate authority for signing, you can follow the steps here.

If you do choose to create your own certificate and get it signed by a 3rd party, you will want to follow the following requirements for selecting the common name during creation and when sending the CSR over to the authority.

  • Common Name (SAN - Option 1) [Datacenter/Region Specific]:
  • mx1.[allocation].iphmx.com
  • mx1.[allocation].c3s2.iphmx.com
  • mx1.[allocation].eu.iphmx.com
  • mx1.[allocation].ca.iphmx.com
  • mx1.[allocation].ap.iphmx.com

📘

mx1 would be used for the common name, but all individual esa1/2/3/4/etc., mx1/mx2, and ob1 records must be included in SAN attributes when the request is provided to the CA.

  • Common Name (Wildcard - Option 2)[Datacenter/Region Specific]:
  • *.[allocation].iphmx.com
  • *.[allocation].c3s2.iphmx.com
  • *.[allocation].eu.iphmx.com
  • *.[allocation].ca.iphmx.com
  • *.[allocation].ap.iphmx.com

Of course, you can reach out to Cisco TAC at any time if you run into issues or questions.

Where should my CA send the Domain Authorization Letter (DAL)?

The CA can send the DAL to any of the email addresses below:

I need assistance. How can I contact Cisco to help?

You can open an SR with the Cisco Support Case Manager or view the Cisco Support page for more options and how-to Contact TAC by Phone.