If you are configuring the SMTP setting on Cisco ISE, you may have found an interesting error when complete this configuration —> Connection to smtp.domain.com failed. Could not connect to SMTP Server, SSL Error. Please check the trusted certificates.
In this case the issue is that Cisco ISE has to trust the connection with Microsoft 365, since we are doing the connection with MS365 recommended settings as follows:
What we do next? – Find the certificate!
How do we get Office 365 or Microsoft 365 certificates? A quick search for that just showed me a few of Microsoft experts saying that Microsoft does not provide this. However if you know public certificates, intermediates and Root certificates are public, so I decided to do some playing with how to get this certificate chain
First open your favorite terminal application, either MAC or Windows. Install OpenSSL. If you are running MAC most likely you are already running OpenSSL. For this example I will be using iTerm for Mac.
AndresS ~ % openssl OpenSSL> s_client -connect smtp.office365.com:587 -starttls smtp
If you prefer using Windows install OpenSSL and run the following
C:\OpenSSL-Win32\bin> openssl.exe s_client -connect smtp.office365.com:587 -starttls smtp
The command will list good information on the terminal, but we are looking for the text inside the —–BEGIN CERTIFICATE——//—–END CERTIFICATE—–
Make sure you save this suing a text editor to a .cer file
Now what do we do? – Extract the Certificates!
We will use Microsoft for the next part, because after 10+ years using Mac it still kicks my butt with a few things
Once the file is saved, open it and it should look like this:
The next thing we want to do is to download the outlook.com certificate and the intermediate certificate from Digicert. First the Intermediate
Follow these 3 steps
once inside the Details Tab Click Copy File – this will open a new window so you can download the certificate. Keep the .cer extension
Do the same thing with the outlook.com certificate
Import the certificates to Cisco ISE
We are almost there I promise! – go to Cisco ISE and open the certificates section, under Administration —> System —> Certificates
Next step is key but easy. Locate the Trusted Certificates Section on the left – Select Import and under Choose File look for your .cer file – Make sure Trust for authentication within ISE is selected
Let’s test!
We at the finish line, and if you configured everything as mentioned on this post, when you go to Administration —> System —> Settings —> SMTP Server and enter all your config and click Test Connection this is what you should see
My 2 cents
This is not the most elegant way of doing this. Reason being is that my email will not have any layer of security if Cisco ISE get compromised, I also have SMTP authentication on this account (which is not recommended). Usually is best practice is to use a Relay Server and configure it to talk to MS365 – since you will have control of the SMTP Relay, the gathering of the certificates should be easier.
My Setup
ISE running Version 3.0.0.458 **Yes I’m planning to upgrade this guy to 3.1, soon if anything crazy happens I may create another post
Windows Server 2019
About the Author:
Andres Sarmiento, CCIE # 53520 (Collaboration)
Started working professionally in 2003, Andres is specialized in Unified Communications and Collaboration technologies | Enterprise Networks and Network Security. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations, including Cisco technologies, such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.