Configure SMTP with Cisco ISE 3 | Import Microsoft 365 Certificates

If you are configuring the SMTP setting on Cisco ISE, you may have found an interesting error when complete this configuration —> Connection to smtp.domain.com failed. Could not connect to SMTP Server, SSL Error. Please check the trusted certificates.

UntitledImage

In this case the issue is that Cisco ISE has to trust the connection with Microsoft 365, since we are doing the connection with MS365 recommended settings as follows:

UntitledImage

What we do next? – Find the certificate!

How do we get Office 365 or Microsoft 365 certificates? A quick search for that just showed me a few of Microsoft experts saying that Microsoft does not provide this. However if you know public certificates, intermediates and Root certificates are public, so I decided to do some playing with how to get this certificate chain

First open your favorite terminal application, either MAC or Windows. Install OpenSSL. If you are running MAC most likely you are already running OpenSSL. For this example I will be using iTerm for Mac.

AndresS ~ % openssl OpenSSL> s_client -connect smtp.office365.com:587 -starttls smtp



If you prefer using Windows install OpenSSL and run the following

C:\OpenSSL-Win32\bin> openssl.exe s_client -connect smtp.office365.com:587 -starttls smtp



The command will list good information on the terminal, but we are looking for the text inside the —–BEGIN CERTIFICATE——//—–END CERTIFICATE—–

Make sure you save this suing a text editor to a .cer file

Now what do we do? – Extract the Certificates!

We will use Microsoft for the next part, because after 10+ years using Mac it still kicks my butt with a few things

Once the file is saved, open it and it should look like this:

UntitledImage

The next thing we want to do is to download the outlook.com certificate and the intermediate certificate from Digicert. First the Intermediate

Follow these 3 steps

UntitledImage

once inside the Details Tab Click Copy File – this will open a new window so you can download the certificate. Keep the .cer extension

UntitledImage

Do the same thing with the outlook.com certificate

Import the certificates to Cisco ISE

We are almost there I promise! – go to Cisco ISE and open the certificates section, under Administration —> System —> Certificates

UntitledImage

Next step is key but easy. Locate the Trusted Certificates Section on the left – Select Import and under Choose File look for your .cer file – Make sure Trust for authentication within ISE is selected

UntitledImage

Let’s test!

We at the finish line, and if you configured everything as mentioned on this post, when you go to Administration —> System —> Settings —> SMTP Server and enter all your config and click Test Connection this is what you should see

UntitledImage

My 2 cents

This is not the most elegant way of doing this. Reason being is that my email will not have any layer of security if Cisco ISE get compromised, I also have SMTP authentication on this account (which is not recommended). Usually is best practice is to use a Relay Server and configure it to talk to MS365 – since you will have control of the SMTP Relay, the gathering of the certificates should be easier.

My Setup

ISE running Version 3.0.0.458 **Yes I’m planning to upgrade this guy to 3.1, soon if anything crazy happens I may create another post

Windows Server 2019

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
Started working professionally in 2003, Andres is specialized in Unified Communications and Collaboration technologies | Enterprise Networks and Network Security. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations, including Cisco technologies, such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn, or Facebook.

Leave a Comment

Your email address will not be published.

Scroll to Top