The updatepvocert Command

You must use the updatepvocert command in the CLI to update the CA certificate of 2048 bits to enable Centralized Policy, Virus and Quarantines on the managed Cisco Email Security appliance that is in FIPS mode.

The Centralized Policy, Virus, and Outbreak Quarantines on the managed Email Security appliance is disabled when FIPS is enabled. From AsyncOS 13.0 onwards, appliances in FIPS mode uses a certificate of 2048 bits to enable Centralized Policy, Virus, and Outbreak Quarantines. The earlier AsyncOS versions have certificates of size 1024 bits.

example.mail.com> updatepvocert
This command will recreate the PVO certificate and key of strength 2048 bits. 
Also, the new certificate will be signed by a CA of strength 2048 bits. 
Hermes process will restart post certificate update. No commit will be required. 
Do you want to proceed with the certificate update? [Y]>

Certificate updated successfully. Hermes restart needed for the changes to be effective.
Do you want to restart hermes? []> Y

Enter the number of seconds to wait before abruptly closing connections. [30]>

Waiting for listeners to exit... Receiving suspended for euq_listener, cpq_listener. Waiting for outgoing deliveries to finish... Mail delivery suspended. Receiving resumed for euq_listener, cpq_listener. Mail delivery resumed.
Hermes will be up in a moment. Run the status command for hermes.

example.mail.com >