During the installation, you can configure that inbound traffic to the Sensor is delivered via TLS. If you plan to use SMTP over TLS delivery to the Sensor, you will need a private key (.key file), a signed TLS certificate (.pem file), and a certificate chain (.pem file).
You will want to use SCP to upload the private key and certificate files to the proper directory. For example, enter the command:
scp private_key.pem admin@sensor:/data/tls-certs/
As an example, to utilize a PKCS12 (also known as PFX) certificate, it will need to be converted to the accepted formats, a private key (.key file), a signed TLS certificate (.pem file), and a certificate chain (.pem file). The following OpenSSL commands will convert the certificate file as needed.
OpenSSL is on the sensors, the following commands can be run on the sensor after using SCP to upload the PKCS12 files to the sensor.
openssl pkcs12 -in tlsAgariCert.pfx -out nokeys_tlsAgariCert.pem -nokeys -nodes openssl pkcs12 -in tlsAgariCert.pfx -out nocerts_tlsAgariCert.key -nocerts -nodes openssl pkcs12 -in tlsAgariCert.pfx -out tlsAgariCert.pem -nodes
Configure Sensor to use the certificate
As you go through the initial Sensor setup, one of the configuration questions is "Do you want to configure TLS Certificates for incoming SMTP traffic to this Sensor?", the default answer is 'NO'. However, if you plan to utilize a certificate you will enter 'Yes'. After choosing yes, you will be promoted to provide the file name of each file type in the following order:
- TLS Certificate file (.pem file) - labeled nokeys_tlsAgariCert.pem in above example
- Private Key (.key file) - labeled nocerts_tlsAgariCert.key in above example
- The certificate chain (.pem file) - labeled tlsAgariCert.pem in above example