AsyncOS allows you to
encrypt communications between the appliance and external machines by using a
certificate and private key pair. You can upload an existing certificate and
key pair, generate a self-signed certificate, or generate a Certificate Signing
Request (CSR) to submit to a certificate authority to obtain a public
certificate. The certificate authority will return a trusted public certificate
signed by a private key that you can then upload onto the appliance.
When the appliance is
in FIPS mode, you can continue to
The appliance’s FIPS
mode adds a number of restrictions to the certificates that the appliance uses
in order for the appliance to be FIPS compliant. Certificates must use one of
the following signature algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and
SHA-512.
The appliance will
not import certificates that do not use one of these algorithms. It also cannot
be switched to FIPS mode if it has any non-compliant certificates in use on a
listener. It will displays an error message instead.
A Non-FIPS status for
a certificate will be displayed in both the CLI and the GUI when the appliance
is in FIPS mode. When selecting a certificate to use for a feature, such as a
listener or destination control, the appliance does not display non-compliant
certificates as an option.
See
Working with Certificatesfor
more information on using certificates on your appliance.
You can use
FIPS-compliant certificates with any of the following services:
- SMTP receiving and
delivery. Use the
Network
> Listeners page (or the listenerconfig -> edit ->
certificate CLI command) to assign the certificate to any listeners that
require encryption using TLS. You may want to only enable TLS on listeners
facing the Internet (that is, public listeners), or you may want to enable
encryption for all listeners, including internal systems (that is, private
listeners).
- Destination controls.
Use the
Mail
Policies > Destination Controls page (or the destconfig CLI
command) to assign the certificate as a global setting to for all outgoing TLS
connections for email delivery.
- Interfaces. Use
the
Network
> IP Interfaces page (or the interfaceconfig CLI command) to
enable the certificate for HTTPS services on an interface, including the
management interface.
- LDAP. Use the
System
Administration > LDAP page to assign the certificate for all
LDAP traffic that requires TLS connections. The appliance can also use LDAP for
external authentication of users.