IronPort C360 and using internal CA for SSL error

So this is more archive for me, and anyone else having a similar issue. Ironport C360 V 7.1.2-020 🙂

Problem – IronPort C360 Spam Appliance says invalid certificate when users browse to website to release mail internally.

Fix – Use internal Certificate Authority (CA) to validate the IronPort device within Active Directory Environment.

Problem 2 – IronPort Device uses .pem format PKCS#12 and AD CA only exports responses as .cer files.

Fix / Instructions – Outlined below

Disclaimer – Your Mileage May Vary – No explicit or implied warranty – If you follow these steps and it doesn\’t work it is not my fault, Use at your own risk.  By reading the instructions you agree to these terms.

———————————————————————————————

IronPort C360 Spam Filter

How to create and install certificate with internal Certificate Authority

Step 1 – Create the CSR on IronPort

  • Log on to IronPort device and create a Certificate Signing Request file.
  • Click Network – Certificate
  • Click Add Certificate
  • Click Create Self-Signed Certificate
    • Ensure you Submit Then Commit at the end of this step after clicking next to save the request on the IronPort Device. (If you fail to do this the IronPort Device will not save the request and you will may have to re-do the entire process)
  • Download the Certificate Signing Request from IronPort device for submission to the internal CA.

Step 2 – Submit the CSR to CA

  • Open website for your Internal Certificate Authority Server – E.g. http://CAserv/certsrv to create a response to the CSR.
  • Click Request a Certificate – Advanced Certificate Request – Submit Certificate using code.
  • Open the CSR in step one via Notepad to get the CSR code and paste it into the website.
  • Submit the request as a Website and download the response.

Step 3 – Convert the CSR to .pem format from.cer via Unix Virtual Machine.

  • Ubuntu 11.04 (Natty Narwhal) was used for IronPort certificate in January 2011 with Openssl as a service already running.
  • Use Ubuntu (or other Linux Distro running Openssl) to convert the file to the required format.
  • Copy the Response from the CA in step 2 to the Unix Machine.
  • Paste on Desktop and convert via Terminal, or location of choice.
    • Open Terminal and run following command and modify particulars as needed.
    • openssl x509 -inform der -in \’/home/kevin/Desktop/Ironportcertnew.cer\’ -out \’/home/kevin/Desktop/Ironportcertnew.pem\’
  • Note the Highlighted area is the path that will need to be modified to suit your need.
  • Note the Italicized area is the name of your file – .cer going in and .pem going out.
  • Copy created File to computer that has access to IronPort Device.

Step 4 – Upload the properly formatted file to IronPort device

  • Go back to Network – Certificate and find the self-signed certificate you created in step 1.
  • *Note* if the name you created is not in the list of certificates you will need to start step 1 over again.*
  • Click on Browse for Upload Signed Certificate – Find the file created in Step 3.
  • Click Submit / Commit for changes to take effect.

Step 5 – Specify Interface for use with the new signed certificate

  • Click network – IP interfaces
  • Click on the name of the desired Interface that you wish to use this Certificate.
  • Select the proper name of the HTTPS Certificate that you wish to use.
  • Submit / Commit.
  • Test with Internet Explorer browser to see if certificate is considered valid from Internal CA.
    • Click the SSL Lock to view and validate the Certificate Chain is what you expect it to be.

Leave a Response

You must be logged in to post a comment.