Using the Trend Micro SSL Portal

The Trend Micro SSL portal enables you to obtain and manage SSL certificates. Trend Micro SSL certificates are trusted automatically and transparently by most browsers. This trust is established because the Trend Micro SSL root certificate is embedded in most major browsers.

 

Setting up and signing in to your account

Set up your Trend Micro SSL account

At the end of the account activation process in the Trend Micro Customer Licensing portal, click Open Console to start the Trend Micro SSL setup process, described below. Alternatively, someone else may have completed the account activation and sent you a link to the Trend Micro SSL setup. The setup process provides the Trend Micro SSL vetting team with required information and creates a Global Administrator for your account.

  1. The first page displayed is the Welcome page, which outlines the setup process. Click Continue.
  2. Confirm that your contact information is correct and edit it if necessary. This information will be used to create a Global Administrator for your account. Enter an email address and password:
    • If you want to use the email address listed on this page to sign in to the Trend Micro SSL portal, simply enter your password in the two boxes provided and click Continue.
    • If you want to use a different email address, click Use the following email address as my Trend Micro SSL user ID, enter the address, and then click Continue. If you entered a new email address, a confirmation email message is sent to that address. The recipient clicks a link in the email message, which takes them to the Welcome page described in step 1. The recipient can edit their contact information and set their password, but they cannot change their email address.

    Note: Your password must be at least 8 characters long and must contain at least one of each of these types of characters:

    • numeric (for example, 1, 2, 3...)
    • alphabetic (for example, a, B, c...)
    • symbols (for example, #, $, !...)
  3. On the next page, confirm that your corporate information is correct and edit it if necessary. Trend Micro SSL uses this information to perform certain checks to ensure the validity of the corporation (a process known as vetting) and creates your first organization profile based on this information. Click Continue.
  4. Read and accept the terms of service, and then click OK.
  5. A confirmation page displays, stating that the account setup process is complete. You can sign in to the Trend Micro SSL portal by clicking the link provided.

Sign in to the Trend Micro SSL portal

  1. In a web browser, go to https://ssl-portal.trendmicro.com.
  2. Enter the email address and password that you specified when you set up your account. Click Sign In. If you enter the incorrect password five times, the account will be locked. If you have forgotten your password, click the password link on the sign-in page to recover your password. (See Reset your password, below)
  3. The first time that you sign in to the Trend Micro SSL portal, you will see the Introduction slides, which provide you with an overview of the steps you need to perform next. Click the arrows on the slides to step through them. If you do not want the Introduction to display the next time you sign in, clear the Show this again after the next sign-in checkbox. The Introduction is always available from the Help menu at the top of the page.
  4. After closing the Introduction slides, you will see the Account tab, where you can add an organization profile. (See Manage your Organization Profiles for details.)

    After your account has an organization profile that has been approved and is in the Ready state, you will see the Certificates tab after sign-in. (See Obtaining certificates for details.)

When you want to sign out of the Trend Micro SSL portal, click Sign Out in the upper-right corner of the screen. You will be signed out automatically after 30 minutes of inactivity.

Complete an administrator setup

The Global Administrator for the account can add other administrators. The new administrator receives an email that contains a link that they click to activate their account. (See Manage your account's administrators for information on creating new administrators).

  1. Click the link provided in the invitation email.
  2. On the Welcome page that displays, confirm that your contact information is correct and edit it if necessary.
  3. Enter your password in the two boxes provided.

    Note: Your password must be at least 8 characters long and must contain at least one of each of these types of characters:

    • numeric (for example, 1, 2, 3...)
    • alphabetic (for example, a, B, c...)
    • symbols (for example, #, $, !...)
  4. Read and accept the terms of service, and then click OK.
  5. A confirmation page displays, stating that the account activation process is complete. You can sign in to the Trend Micro SSL portal by clicking the link provided.
  6. Enter the email address and password that you specified when you set up your account. Click Sign In. If you enter the incorrect password five times, the account will be locked. If you have forgotten your password, click the password link on the sign-in page to recover your password. (See Reset your password, below)

When you want to sign out of the Trend Micro SSL portal, click Sign Out in the upper-right corner of the screen. You will be signed out automatically after 30 minutes of inactivity.

Reset your password

If you have forgotten your password, you can reset it using this procedure. For instructions on simply changing your password, see Change your password.

  1. On the sign-in page, click Forgot your password? The Reset Password page appears.
  2. Enter your email address and click OK. A message appears, stating that you will receive an email with instructions. Click OK.
  3. Open the email message and click the link provided. The Reset Password page appears.
  4. Enter your new password in both boxes and click OK. Your password must be at least 8 characters long and must contain at least one of each of these types of characters:
    • numeric (for example, 1, 2, 3...)
    • alphabetic (for example, a, B, c...)
    • symbols (for example, #, $, !...)
  5. A message appears, stating that your password has been changed successfully. Click OK. You will also receive an email informing you that your password has been reset successfully.

 

Obtaining certificates

About OV and EV certificates

There are two types of certificates that you can obtain from Trend Micro SSL:

Organization Validated (OV) SSL provides a basic level of vetting of an organization before issuance of a trusted SSL certificate. The Trend Micro SSL vetting team checks the right of the applicant to use the specified domain name and also checks into the existence of the organization itself. This vetted company information is displayed to customers when viewing the certificate details, giving more visibility into the organization behind the site.

Extended Validation (EV) SSL delivers the highest level of consumer trust through the strictest authentication standards of any SSL certificate. Extended Validation verification guidelines, created by an independent body, require Trend Micro SSL to obtain and verify multiple pieces of identifying information about the Organization and Organization Contacts listed in the account setup. When users visit sites secured with EV certificates, their browser address bar turns green. The guidelines for Extended Validation vetting are published by the CA/Browser Forum and can be found here.

Notes about requesting certificates:

  • Before an EV certificate can be issued, the organization profile and the domains you will be protecting must be EV-enabled. (See Upgrade an organization profile to issue EV certificates and Manage the domains associated with an account.)
  • If a certificate request contains a new domain, confirmation of the new domain may delay the issuance of the certificate. If you are requesting an EV certificate, the new EV domain will require manual confirmation.
  • If a certificate request contains an International Domain Name (IDN), confirmation of a new IDN may delay the issuance of the certificate. New IDN confirmation must be done manually for both EV and OV requests.
  • If a certificate request contains an IP address (such as 198.30.21.143), the certificate cannot be issued.
  • The certificate request may contain a fully-qualified domain name (www.example.com), second-level domain (example.com), or a wildcard domain (*.example.com). All domain names must be publicly registered. Domains not publicly registered are considered internal server names (ISNs). Due to CA/Browser Forum requirements, the support for certificates that contain an ISN has been deprecated. Certificates containing an ISN are restricted to the OV level and must expire before November 1, 2015. In addition, certificates containing an ISN must be manually vetted, which may delay their issuance.
  • Certificates must have a key length greater than or equal to 2048 bits, due to CAB Forum Baseline Requirements for issuing certificates.

About hash algorithms

When you request a certificate, you must select the hash algorithm to use for the certificate signature: SHA-256 or SHA-1. If possible, you should select SHA-256 because SHA-1 certificates are scheduled to be deprecated by most browsers. For a list of servers and applications that are compatible with SHA-256, see this document from the CA Security Council.

Before October 2014, Trend Micro SSL offered two hash algorithm options: SHA-1 and SHA-2. Both of these options relied on a certificate chain that included a SHA-1-based signature, which is being deprecated by most browsers. Because of this planned deprecation, Trend Micro SSL will provide SHA-256 and SHA-1 as options for the hash algorithm until December 31, 2015. After December 31, 2015, Trend Micro SSL will provide only SHA-256 as option.

  • SHA-256: The SHA-256 certificates are issued using a SHA-256-signed certificate chain, in compliance with the new browser requirements. You should plan to replace all SHA-1 and SHA-2 certificates with new SHA-256 certificates before 2016.
  • SHA-1: This option is provided for systems that do not support SHA-256. SHA-1 certificates will continue to use a certificate chain that includes a SHA-1-based signature. You can request SHA-1 certificates that expire on either December 31, 2015 or December 31, 2016; however, SHA-1 certificates that have an expiration date after December 31, 2015 will eventually cause a degraded HTTPS session symbol to appear in users’ browsers.

Get a new certificate

Before you can get a new certificate, you must be a Certificate administrator for a vetted, active organization profile. (See Manage your Organization Profiles for details.)

Note: Before requesting a certificate, please ensure that any domains you require have already been confirmed.(See Manage the domains associated with an account for details.) Otherwise, your certificate request will be delayed until the domain is properly confirmed.

  1. Generate a new CSR on your server. See Create a CSR for instructions.
  2. Open the CSR file in a text editor and copy the text, including the BEGIN and END tags.
  3. In the Trend Micro SSL portal, go to the main Certificates tab and then click the Certificates sub-tab.
  4. Click Add.
  5. On the New Certificate Request page:
    • Select the Organization Profile for which you are requesting a certificate.
    • Select the Certificate Type that you are requesting. If your Organization Profile allows EV certificates, you can select either EV or OV. Otherwise, the Certificate Type must be OV.
    • In the HASH Algorithm list, select the hash to use for the certificate signature, either SHA-256 or SHA-1. SHA-1 is being deprecated and should not be selected, except for special cases. For additional information, see About hash algorithms.
    • Set the Validity Period to either 1 year or 2 years. SHA-1 certificates are restricted to a validity period of either 31-Dec-2015 or 31-Dec-2016.
    • Paste the CSR in the box provided.
    • Optionally, enter Comments about the certificate order.
    • Click Continue.
  6. The Confirm Certificate Details page appears, where you can edit this information:
    • The Common Name of the server that you are protecting

      Note: If a certificate request contains an IP address (such as 198.30.21.143), the certificate cannot be issued. The certificate request may contain a fully-qualified domain name (www.example.com), second-level domain (example.com), or a wildcard domain (*.example.com). All domain names must be publicly registered. Domains not publicly registered are considered internal server names (ISNs). Due to CA/Browser Forum requirements, the support for certificates that contain an ISN has been deprecated. Certificates containing an ISN are restricted to the OV level and must expire before November 1, 2015. In addition, certificates containing an ISN must be manually vetted, which may delay their issuance.

    • The list of Current SANs. Subject Alternative Names (SANs) enable you to secure multiple host names with one SSL certificate. The Current SANs list can contain up to 98 domains; however, adding new domains may delay the issuing of the certificate because the domains will need to be confirmed.
    • In the Check/Modify Notifications area, specify who will receive notifications regarding this certificates (such as when it is issued, expiry warnings, and revocation notifications.)

    Click Continue.

  7. If the Common Name or SANs list contains a new domain that has not been previously validated to the appropriate level (OV or EV), the Confirm Domain Control page appears, listing the new domains. Click Continue.
    • If the new domain must be confirmed at the OV level, the "Confirmation of Control for domain # of #" page appears. Select the email address where the domain ownership confirmation request will be sent. If none of the pre-populated email addresses is yours, select Manually Validate and the Trend Micro SSL vetting team will confirm the domain control manually. Click Continue. Repeat this step for each domain that you added.
    • If the new domain must be confirmed at the EV level, you are not prompted to choose an email address because the domain must be manually validated by the Trend Micro SSL vetting team. Continue to the next step.
  8. The Certificate Request Summary page appears, where you can review the request details before submitting the final certificate request. If the request is correct, click Finish and then click OK on the confirmation message that appears. Otherwise, click Back to edit the request or click Cancel to discard it.

If you have Approver permission, the new certificate order appears in the list on the Certificates tab, with a Status of "Pending".

If you do not have Approver permission, the certificate order appears in the list on the Certificates tab, with a Status of "Approve". The certificate request will need to be approved before it can change to a "Pending" status.

It typically takes 10 minutes or less to issue a new certificate. However, if Trend Micro finds any issues with your certificate request, the issuing of the certificate will be delayed until all issues are resolved. Common issues that may delay the issuing of a certificate include new domain confirmation and requests containing ISNs.  In some instances, a new CSR may be required to complete the request.

When the certificate is ready for use, its status will change to "Issued".

About weak keys

Between 2006 and 2008, the Debian OpenSSL library contained a bug that resulted in the generation of weak, predictable keys for SSL certificates and other uses. The bug also compromises other keys and passwords that are transmitted over an encrypted link that uses weak keys.

When you request an SSL certificate by pasting a CSR into the Trend Micro SSL Portal, the portal checks whether the CSR contains a Debian weak key. If the CSR contains a weak key, you will need to upgrade to the new version of the OpenSSL package, generate a new key pair, and create a new CSR.

For details on the Debian bug and instructions on how to fix it on your systems, see the Debian wiki.

View a list of your organization’s certificates

  1. Click the Certificates tab, if it is not already displayed. By default, the certificates are sorted by order number. You can only see certificates that belong to organization profiles for which you are an administrator.
  2. There are three ways that you can filter the list of certificates:
    • Click a column heading to sort the table based on the data in that column. By default, the table is sorted by descending order number.
    • Perform a search on all text in the table. In the box in the upper-right corner of the tab, enter the search string in the search field and click magnifying glass icon.
    • Use the Filter by Status drop-down list to display only certificates with a particular Status.
    • Note: Table sorting and filtering is maintained until the next time you sign in to the portal.

  3. The table lists the following information about your certificates:
    • Order: Click the order number to display the Certificate Details for that order. (See View certificate details)
    • Common Name: Website name that will be secured by this certificate, such as www.example.com or example.com.
    • Type: Type of certificate, either OV (Organization Validated) or EV (Extended Validation). (See About OV and EV certificates)
    • Serial Number: Serial number of the certificate, which you can use to identify the certificate after it is installed on your server.
    • Ordered: Date when the certificate was ordered. The date format is determined by your browser language settings.
    • Issued: Date when the certificate was issued

      Note: The certificate's issued time is set 10 minutes earlier than the actual issuing time, so it may occasionally appear as if a certificate was issued before it was requested. This is to allow for potential time synchronization issues that may occur between the CA, customer browsers, and your web servers.

    • Expires: Date when the certificate will expire
    • Requester: Email address of the person who requested the certificate
    • Profile: Organization profile for which the certificate was requested
    • Status: Certificate status, which can be one of the following:
      • Issued: The certificate has been issued and is valid.
      • Pending: The certificate has been requested but has not been issued.
      • Approve: The certificate was requested by someone who does not have approval permission, and it has not yet been approved.
      • Revoked: The certificate has been revoked.
      • Canceled: The certificate request was canceled while it was in the pending state. The certificate was not issued.
      • Expired: The certificate was not renewed within its validity period and is no longer valid.
      • Rejected: The certificate request did not pass the vetting process and was not issued.
      • Canceling: A cancelation request has been issued for the certificate request.
      • Unused: The certificate was issued but has been flagged as unused. You can restore unused certificates that have not expired. (For more information, see Restore an unused certificate.

View certificate details

  1. Click the Certificates tab, if it is not already displayed.
  2. Click the Common Name of a certificate to display the certificate details.

    The certificate details include:

    • Common Name: Website name that will be secured by this certificate, such as www.example.com or example.com. If it is a wildcard certificate, the common name begins with * (for example, *.yourcompany.com). The common name was specified in the certificate request.
    • SANs: Subject Alternative Names (SANs) enable you to secure multiple host names with one SSL certificate. The SANs field lists the Common Names of the SANs secured by this certificate. This information is obtained as part of the certificate request. The list also includes the second-level domain (for example, for www.yourcompany.com, “yourcompany.com” is included). System-generated SANs are displayed at the top of the list, in gray text. Any SANs that you added are displayed at the end of the list, in black text.
    • Profile: Organization profile for which the certificate was requested
    • Organization: Full legal name of your company. The name will match the organization information for the organization profile at the time the certificate was requested.
    • City/Locality: Full name of the locality or city where your company is headquartered. The locality was specified in the certificate request.
    • State/Province: Full name of the state or province where your company is headquartered. The state was specified in the certificate request.
    • Country: Two-letter ISO 3166 country code. For example, the code for the Japan is “JP”. The country was specified in the certificate request.
    • Serial Number: Serial number of the certificate, which you can use to identify the certificate after it is installed on your server.
    • Status: Certificate status, which can be one of the following:
      • Issued: The certificate has been issued and is valid.
      • Pending:The certificate has been requested but has not been issued.
      • Approve: The certificate was requested by someone who does not have approval permission, and it has not yet been approved.
      • Revoked:The certificate has been revoked.
      • Canceled:The certificate request was canceled while it was in the pending state. The certificate was not issued.
      • Expired: The certificate was not renewed within its validity period and is no longer valid.
      • Rejected: The certificate request did not pass the vetting process and was not issued.
      • Canceling: A cancelation request has been issued for the certificate request.
      • Unused: The certificate was issued but has been flagged as unused. You can restore unused certificates that have not expired. (For more information, see Restore an unused certificate.)
    • Type: Type of certificate, either OV or EV
    • Key length: Certificates must have a key length greater than or equal to 2048 bits, due to CAB Forum Baseline Requirements for issuing certificates.
    • Hash: The hash used for the certificate signature, either SHA-256 or SHA-1. For additional information, see About hash algorithms.
    • Requester: Email address of the person who requested the certificate
    • Approver: Email address of the person in your organization who approved the certificate request. This may be the same as the Requester, if the person who requested the certificate also has approval permission.
    • Notification Recipients: Email addresses of people who will receive notifications regarding the certificate. You can click Edit button to edit the list of recipients.
    • Comments: Optional comments about the certificate. You can click Edit button to add or edit comments.

    If the certificate status is “Issued”, these also appear:

      • Issued: Date when the certificate was issued.

        Note: The certificate's issued time is set 10 minutes earlier than the actual issuing time, so it may occasionally appear as if a certificate was issued before it was requested. This is to allow for potential time synchronization issues that may occur between the CA, customer browsers, and your web servers.

      • Expires: Date when the certificate will expire. Be sure to renew the certificate before it expires.
      • Download: Click this button to download your certificate or CA certificates in the trust chain. (See Download certificates for details.)
      • Site Seal: The Trend Micro SSL Site Seal allows your website visitors to confirm the current status of your Trend Micro SSL certificates and provides increased trust in your website. It should be displayed on either the first secure web page that visitors view before they go to any of your other secure pages or on all of your secure pages. Click this button to select a Trend Micro Site Seal and then create the appropriate Site Seal HTML code. Copy this code and paste it into the HTML for your website where you would like the site seal to appear. (See Get a site seal for your website for details.)
      • Health Check: Click this button to run a Health Check on this certificate. (See Verify that your certificate is installed correctly for details.)
      • Re-issue: Make a copy of your certificates with a new CSR. (See Re-issue a certificate with a new CSR for details.)
      • Renew: Click this button to renew your certificate. This option is available only within 90 days of the certificate expiration date or after it expires. (See Renew a certificate for details.)
      • Unused: Primary Administrators can click this button to change the certificate status to "Unused". You will not receive expiration notifications for certificates marked as unused. You can restore unused certificates until they reach their expiration date.
      • Revoke: Click this button to revoke your certificate if your private key has been compromised or you feel your certificate must be revoked for some other reason. Caution: This operation cannot be reversed. (See Revoke a certificate for details.)

     

    If the certificate status is “Pending”, this button also appears:

    • Cancel: Click this button to cancel a pending certificate request. When you click this button, the certificate status is changed to "Canceling". When the system has processed the cancelation, the status is changed to "Canceled".

     

    If the certificate status is “Approve”, these also appear:

    • Approve: Click this button to approve the certificate order. (See Approve a certificate request for details.)
    • Cancel: Click this button to cancel a certificate request waiting for approval. When you click this button, the certificate status is changed to "Canceled".

     

    If the certificate status is “Revoked”, these also appear:

    • Revoked: Date when the certificate was revoked
    • Revoked by: Email address of the person who revoked the certificate
    • Revocation Reason: Text describing why the certificate was revoked
    • Re-issue: Make a copy of your certificates with a new CSR. (See Re-issue a certificate with a new CSR for details.)

     

    If the certificate status is “Expired”, these buttons also appear:

    • Re-issue: Make a copy of your certificates with a new CSR. (See Re-issue a certificate with a new CSR for details.)
    • Renew: Click this button to renew your certificate. This option is available only within 90 days of the certificate expiration date or after it expires. (See Renew a certificate for details.)

     

    If the certificate status is “Unused”, these also appear:

    • Issued: Date when the certificate was issued.
    • Expiration: Date when the certificate will expire.
    • Re-issue: Make a copy of your certificate with a new CSR. (See Re-issue a certificate with a new CSR for details.)
    • Revoke: Click this button to revoke your certificate if your private key has been compromised or you feel your certificate must be revoked for some other reason. Caution: This operation cannot be reversed. (See Revoke a certificate for details.)
    • Restore: Click this button to restore the certificate to Issued status, which makes the certificate valid again. You cannot restore expired certificates.
  3. Click Back to return to the list of certificates.

Download certificates

When your certificate order status is "Issued", you can download the certificate and install it on your server. The certificate is also attached to an email notification that is sent when the certificate is issued. Your Trend Micro end-entity certificate (the server certificate) is part of a "certificate chain" that establishes trust between your certificate and the trusted root CA in a web browser or application key store. In order for your certificate to be trusted by your users' browsers, you must install all of the intermediate certificates in the trust chain along with your server certificate (the server certificate, the Trend Micro CA certificate, and the AffirmTrust Networking CA certificate). For details on which certificates you will need to install and how to do it, see Install your SSL certificate.

After you have installed your certificate, please use the Health Check tool to validate that your certificate is installed properly.

To download your certificate:

  1. On the Certificates tab, click the Common Name of the certificate that you want to download.
  2. Check the information on the Details page to make sure you have selected the correct certificate.
  3. Click Download. This displays the Download Certificate page.
  4. There are several types of certificate files that you can download. See Install your SSL certificate to find out which files you should download.
    • In the upper part of the page, the server certificate is available in PKCS#7 format:
      • Click the server certificate name to download it as a file with a.p7b extension.
      • The text box also contains the server certificate, which you can copy and paste into a .p7b file.
    • In the Additional Certificates area, you can download:
      • the server certificate
      • two intermediate certificates. If you selected SHA-256, the certificates are Trend_Micro_S2_CA.crt and Affirmtrust_Commercial.crt. If you selected SHA-1, the certificates are Trend_Micro_CA.crt and Affirmtrust_Networking.crt.
      • all-certificates.zip, which contains the server, intermediate, and root certificates. This file is mostly used for IIS servers.
      • the certification authority bundle, which contains the intermediate and root certificates. This file is mostly used for OpenSSL-based web servers.
  5. Click Back when you have finished downloading the certificates.

Get a site seal for your website

The Trend Micro SSL Site Seal allows your website visitors to confirm the current status of your Trend Micro SSL certificates and provides increased trust in your website. It should be displayed on either the first secure web page that visitors view before they go to any of your other secure pages or on all of your secure pages.

  1. On the Certificates tab, click the Common Name of the certificate.
  2. Check the information on the Details page to make sure you have selected the correct certificate. Each order number will generate a different site seal.
  3. Click Site Seal.
  4. On the Create Trend Micro SSL Site Seal page, select the Site Seal Size that you want to add to your website and click Create.
  5. A script appears in the box at the bottom of the page. Copy the code and paste it into the HTML for the website where you want the site seal to appear.

If you renew your certificate in the future, you will not need to regenerate a new site seal.

Verify that your certificate is installed correctly

After you install your certificate on your server, use the Health Check tool to verify whether it is installed correctly. The Help Check tool also checks for the following vulnerabilities and will provide warnings in the results if they are found:

  • Vulnerability to a CRIME attack (See this Wikipedia page for information.)
  • Whether the web server accepts weak cipher suits in an SSL handshake (See this OWASP page for information.)
  • SHA-1 certificates, which are scheduled to be deprecated by most browsers. For more information, see About hash algorithms.

Note: In order to use the Health Check tool, you must have Java installed and enabled for your web browser.

  1. On the Certificates tab, click the Common Name of the certificate. This displays the certificate details.
  2. Click Health Check.
  3. On the Health Check page, enter a list of URLs where the certificate has been installed. Separate multiple URLs with spaces, commas, semicolons, or new lines.
  4. Click Check Now.
  5. A message box appears to inform you that a Java applet is launching and then another appears while the Health Check is running. To continue with the Health Check, do nothing. If you do not want to continue, click Cancel. When a message appears, stating that the Health Check is complete, click OK.

    Note: If Java is not enabled on your computer, you will see an error message instead of the messages described in this step. To run a Health Check, install Java on your computer and then restart your web browser.

  6. The Health Check results display at the bottom of Health Check page.

If the Health Check tool finds a problem, reconfigure your server and then run another Health Check.

One of the most common problems is caused by not including the complete certificate chain (the server certificate, the Trend Micro CA certificate, and the AffirmTrust Networking CA certificate). For instructions on downloading those certificates, see Download Certificates.

Re-issue a certificate with a new CSR

If you are experiencing problems with a certificate, you may need to re-issue the certificate with a new CSR and reinstall it on your server. You may also re-issue a certificate so that you can use it on multiple servers that have the same Common Name (for example, when you are doing load balancing). When you re-issue a certificate, all of the fields in the CSR are defaulted to the values in the fields.

If the original certificate was an OV certificate, you will be re-issued an OV certificate. If the original certificate was an EV certificate, you will be re-issued an EV certificate, unless your account or one of the domains in the certificate request is no longer EV-validated. In that case, you will be re-issued an OV certificate.

  1. Generate a new CSR on your server. See Create a CSR for instructions.
  2. Open the CSR file in a text editor and copy the text, including the BEGIN and END tags.
  3. On the Certificates tab, click the Common Name of the certificate that you want to re-issue.
  4. Check the certificate details to make sure you have selected the correct certificate.
  5. Click Re-issue.
  6. On the Re-Issue Certificate page, paste the text of the CSR file in the Paste in CSR box. You can also edit this information, which is obtained from the previous version of the certificate:
    • The Organization Profile for which the certificate is being requested. Note that if you change the organization profile, the domains from the original certificate will need to be confirmed for the new organization, if they have not been already.
    • The Certificate Type, either EV or OV.
    • The HASH algorithm used for the certificate signature, either SHA-256 or SHA-1. All certificate requests will default to SHA-256, independent of the algorithm used in the certificate being re-issued. For additional information, see About hash algorithms.
    • The Validity period of the certificate, either 1 or 2 years. SHA-1 certificates are restricted to a validity period of either 31-Dec-2015 or 31-Dec-2016.
    • Optional Comments about the certificate

    Click Continue.

  7. On the Confirm Certificate Details page, In the Check/Modify Notifications area, specify who will receive notifications regarding this certificates (such as when it is issued, expiry warnings, and revocation notifications.) Click Continue.
  8. If the Common Name or SANs list contains a new domain that has not been previously validated to the appropriate level (OV or EV), the Confirm Domain Control page appears, listing the new domains. Click Continue.
    • If the new domain must be confirmed at the OV level, the "Confirmation of Control for domain # of #" page appears. Select the email address where the domain ownership confirmation request will be sent. If none of the pre-populated email addresses is yours, select Manually Validate and the Trend Micro SSL vetting team will confirm the domain control manually. Click Continue. Repeat this step for each domain that you added.
    • If the new domain must be confirmed at the EV level, you are not prompted to choose an email address because the domain must be manually validated by the Trend Micro SSL vetting team. Continue to the next step.
  9. The Certificate Request Summary page appears, where you can review the request details before submitting the final certificate request. If the request is correct, click Approve and then click OK on the confirmation message that appears. Otherwise, click Back to edit the request or click Cancel to discard it.

If you have Approver permission, the new certificate order appears in the list on the Certificates tab, with a Status of "Pending".

If you do not have Approver permission, the certificate order appears in the list on the Certificates tab, with a Status of "Approve". The certificate request will need to be approved before it can change to a "Pending" status.

When the certificate is ready for use, its status will change to "Issued".

Renew a certificate

To ensure continuous security, do not let your SSL certificates expire. When you renew a certificate, all of its information remains the same, except that the validity period is updated. You can only renew a certificate when it is within 90 days of its expiry date or after is expires. You can renew a certificate only once.

If the original certificate was an OV certificate, you will be re-issued an OV certificate. If the original certificate was an EV certificate, you will be re-issued an OV certificate, unless your account or one of the domains in the certificate request is no longer EV-validated. In that case, you will be re-issued an OV certificate.

Notifications about the renewal appear in the notifications list as expiration notifications. They are also emailed to the Notification Recipients for the expiring certificate. Once a certificate has been renewed, expiration notifications are no longer sent. The renewed certificate appears in the Certificates list and has the status of “Pending”.

  1. On the Certificates tab, click the Common Name of the certificate that you want to renew.
  2. Check the certificate details to make sure you have selected the correct certificate.
  3. Click Renew.
  4. On the Renew Certificate page, you can edit this information:
    • The Organization Profile for which the certificate is being requested. Note that if you change the organization profile, the domains from the original certificate will need to be re-confirmed for the new organization, if they have not been already.
    • The Certificate Type, either EV or OV.
    • The HASH algorithm used for the certificate signature, either SHA-256 or SHA-1. All certificate requests will default to SHA-256, independent of the algorithm used in the certificate being renewed. For additional information, see About hash algorithms.
    • The Validity period of the certificate, either 1 or 2 years. SHA-1 certificates are restricted to a validity period of either 31-Dec-2015 or 31-Dec-2016.
    • Optional Comments about the certificate
    • You can also paste a new CSR in the Paste in CSR box.

    Click Continue.

  5. On the Confirm Certificate Details page, In the Check/Modify Notifications area, specify who will receive notifications regarding this certificates (such as when it is issued, expiry warnings, and revocation notifications.) Click Continue.
  6. If the Common Name or SANs list contains a new domain that has not been previously validated to the appropriate level (OV or EV), the Confirm Domain Control page appears, listing the new domains. Click Continue.
    • If the new domain must be confirmed at the OV level, the "Confirmation of Control for domain # of #" page appears. Select the email address where the domain ownership confirmation request will be sent. If none of the pre-populated email addresses is yours, select Manually Validate and the Trend Micro SSL vetting team will confirm the domain control manually. Click Continue. Repeat this step for each domain that you added.
    • If the new domain must be confirmed at the EV level, you are not prompted to choose an email address because the domain must be manually validated by the Trend Micro SSL vetting team. Continue to the next step.
  7. The Certificate Request Summary page appears, where you can review the request details before submitting the final certificate request. If the request is correct, click Approve.
  8. A message appears, stating that the certificate request has been submitted and that a link to the new certificate will be sent to you shortly. Click OK to proceed.
  9. When you receive the renewed certificate, install it on your server. (See Install your SSL certificate for instructions.)

Mark a certificate as unused

A certificate may have been requested for testing purposes or it might not be fully functional and needs to be replaced. In these situations, the issued certificate may end up being unused. If your Certificates list contains certificates that you do not intend to use, they can be marked as "Unused". You will not receive expiration notifications for certificates marked as unused.

Primary Administrators can mark certificates as unused. Standard Administrators can also mark certificates as unused if the Allow Standard Administrators to revoke certificates or set certificates as unused option has been selected for the certificate's organization profile.

  1. On the Certificates tab, click the Common Name of the certificate.
  2. Check the information on the Details page to make sure you have selected the correct certificate.
  3. Click Unused.
  4. On the confirmation page that appears, click Yes.

The certificate status is now "Unused" and the certificate is no longer valid.

Note: You can restore unused certificates until they reach their expiration date. (See Restore an unused certificate, below.)

Restore an unused certificate

You can restore any certificate with a status of "Unused", as long it has not expired. Restoring a certificate makes it valid for use again.

  1. On the Certificates tab, click the Common Name of the unused certificate.
  2. Click Restore.
  3. On the confirmation page that appears, click Yes.

The certificate is now ready for use and has a status of "Issued".

Revoke a certificate

You can revoke a certificate for a variety of reasons, including if its private key has been compromised. However, be cautious because the revocation is permanent; a certificate cannot be un-revoked. You can, however, re-issue the certificate with a new key.

Note: If you select “The private key associated with the Public Key listed in the certificate has been stolen or compromised” as the revocation reason, you will not be able to request another certificate with this Public Key.

Primary Administrators can revoke certificates. Standard Administrators can also revoke certificates if the Allow Standard Administrators to revoke certificates or set certificates as unused option has been selected for the certificate's organization profile.

  1. On the Certificates tab, click the Common Name of the certificate that you want to revoke.
  2. Check the information on the Details page to make sure you have selected the correct certificate.
  3. Click Revoke.
  4. On the Revoke Certificate page, select the reason why you are revoking the certificate:
    • The information in the certificate is incorrect or inaccurate
    • There has been a material change in the information contained in the certificate
    • The private key associated with the Public Key listed in the certificate has been stolen or compromised
    • There has been a change in the ownership of my web server
    • The original Certificate Request was not authorized
    • Other reason. If you select this option, enter the details in the text box.
  5. Click Revoke.
  6. A message appears, stating that the procedure cannot be reversed. Click Yes to proceed.

On the Certificates tab, the certificate has the status of “Revoked”.

Approve a certificate request

Certificates can be requested by someone who does not have approval permission for certificates. This includes:

  • Non-administrators who use to Certificate Request Portal to submit a certificate request
  • Standard Administrators for organizations where Standard Administrators do not have permission to approve certificate requests

When a certificate is requested by someone who does not have approval permission, the certificate order is added to the Certificates list with a Status of "Approve".

The certificate order must be approved by a Primary Administrator for the organization, or by a Standard Administrator if the organization allows that permission.

  1. In the Trend Micro SSL portal, click the Certificates tab, if it is not already displayed.
  2. Find the appropriate certificate order. Its Status is "Approve". Click the Common Name of the certificate to display the Details page.
  3. Click Approve.
  4. On the page that appears, confirm the certificate details and click Continue.
  5. On the next page, click Approve. A confirmation message appears, stating that the certificate request has been approved and submitted. Click OK.

In the Certificates list, the certificate Status is listed as "Pending". When the certificate is ready for use, its status will change to "Issued".

Cancel a certificate request

If you have mistakenly requested a certificate or made an error in the request, you can cancel the certificate request if it has a status of Pending or Approve. The cancelation of a certificate with a status of Approve will take effect immediately. The cancelation of a certificate with a status of Pending is not guaranteed because pending certificate requests are processed on a regular basis.

Both Primary Administrators and Standard Administrators for an organization profile can cancel a certificate request in that organization profile.

  1. On the Certificates tab, click the Common Name of the certificate that you want to cancel.
  2. Check the information on the Details page to make sure you have selected the correct certificate order.
  3. Click the Cancel button.
  4. A warning message appears. Click Yes to cancel the order.

Export a list of certificates

You can export a comma-separated report (CSV file) that lists details about your certificates. You can then open the CSV file in a spreadsheet.

  1. Click the Certificates tab, if it is not already displayed. Display the number of certificates that you want to include in the CSV file.
  2. Optionally, filter the list of certificates. The CSV file will include all of the certificates that are displayed in the table.
  3. Click Export. The export-orders.csv file is saved to your computer.

 

Manage the domains associated with an account

Before you can obtain a certificate for a domain, you must add the domain to your account. Domains may be added as part of the certificate request process or through the Domains tab. Domains used in a certificate request must be confirmed and in the Ready status before the certificate will be issued. The certificate status will remain Pending until all domains in the request are confirmed.

When you add a new domain, Trend Micro SSL performs certain checks to ensure the validity of the domain (a process known as vetting). Domain vetting may be done automatically using email-based conformation or maually by the Trend Micro Vetting Team. Manual vetting of EV-enabled domains is more complex than manual vetting of OV-enabled domains, and may take longer. After the domains have been vetted, you can use them to obtain certificates.

View a list of domains associated with your account

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. By default, the domains are sorted by domain name. There are three ways that you can filter the list of domains:
    • Click a column heading to sort the table based on the data in that column.
    • Perform a search on all text in the table. In the box in the upper-right corner of the tab, enter the search string in the search field and click magnifying glass icon.
    • Use the Filter by Status drop-down list to display only domains with a particular Status.
    • Note: Table sorting and filtering is maintained until the next time you sign in to the portal.

  3. The Domains page lists this information about each domain associated with your account:
    • Domain Name: Second-level domain name
    • Added: Date when the domain was added to the account
    • Requester: Email address of the person who requested that the domain be added to the account
    • Type: Type of domain, either OV or EV
    • Status: These are the statuses that may appear in the Status column:
      • Ready: The domain has been approved and can be used to obtain certificates.
      • Pending: The domain vetting process is underway.
      • Upgrading: The domain has been confirmed to the OV level and the vetting process for EV is underway.
      • Re-vetting: The domain re-vetting has started and must be completed before expiration.
      • Expiring:The domain has reached the re-vetting date and will expire soon, unless it is re-vetted.
      • Expired: The OV domain approval has expired and must be re-confirmed.
      • Suspended: The domain has been suspended.
      • Declined: The domain could not be vetted successfully.
    • Organization Profile: Organization profile associated with this domain. If you upgrade a domain to EV, the associated organization profile must also be EV.
    • Expires: Date when the domain will expire
    • Re-Vetting: Date when domain re-vetting will begin
  4. You can sort the table by clicking the column headings.

Add a domain

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. Click Add.
  3. On the Add Domains page:
    • Select a Profile Name to associate with the domain. If your domain will be confirmed to the EV level, the organization profile must also be vetted to the EV level.
    • Select the Level of Confirmation. If the organization profile is vetted to the EV level, you can choose from EV or OV. Otherwise, the Level of Confirmation will be set to OV.
    • In the Domain Names box, enter the domain name (second-level domain or higher), separated by spaces, commas, semicolons, or new lines.
  4. Click Continue.
  5. The confirmation of control page appears, where you select the email address where the request confirmation will be sent. If you are not the owner of any of the email addresses listed, you can select the Manually validate option and the Trend Micro SSL vetting team will confirm the domain control manually. This will delay issuance until the domain control has been confirmed. Click Continue. Repeat this step for each domain that you are adding.

    Note: If you click Skip on this page, the domain will not be added to the account.

  6. On the New Domain Request Summary page, review the list of domains and click OK.
  7. Confirmation email messages are sent to the email addresses that you selected in step 5, or the domains are manually validated by the Trend Micro SSL team. The status of the domains is listed as “Pending” until the domains are confirmed.

Note: You can add the same domain more than once if you need to associate it with different profiles. Simply follow the "Add a domain" procedure using the second organization profile. The domain will be listed twice on the Domains tab, but will only count as one unique domain for licensing purposes.

Approve or deny domain addition

When a domain is added or renewed, ownership of the domain can be confirmed via email. The confirmation email may be sent to the administrative email address found in the whois entry for a domain or one of five standard acceptable domain administrative addresses. If you are the recipient of the email, click the link provided in the confirmation email. A page is displayed, where you can agree to have the domain to have the domain added to the Trend Micro SSL account, or deny the request.

To approve the request, select Approve and click OK. The status of the domain changes to "Ready".

To deny the request, select DO NOT approve and click OK. The domain will be deleted.

Upgrade an OV domain to EV

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. On the Domains page, click the "up arrow" next to the OV Type for the domain that you want to upgrade.
  3. The Domain Details page appears, where you can select the email address where the upgrade request confirmation will be sent. If you are not the owner of any of the email addresses listed, you can select the Manually validate option and the Trend Micro Vetting Team will confirm the domain control manually. This will delay issuance until the domain control has been confirmed. Click Upgrade.
  4. A confirmation email message is sent to the email address that you selected in the previous step, or the domain is manually validated by the Trend Micro Vetting Team. The status of the domain is listed as “Upgrading” until it is validated.

Resend or change the email address for a domain confirmation email

You can resend the domain confirmation email for any pending OV domain requests where you did not request manual processing. This option is not available for domains that are manually processed, including all EV domains.

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. On the Domains page, click the domain name.
  3. On the Domain Details page, select the email address where the request confirmation will be sent. If you are not the owner of any of the email addresses listed, you can select the Manually validate option and the Trend Micro SSL vetting team will confirm the domain control manually. This will delay issuance until the domain control has been confirmed. If you select the Manually validate option, you cannot switch back to an email confirmation. Click Re-Confirm.
  4. A confirmation email will be sent to the email address that you selected. The status of the domains is listed as “Pending” until the domains are confirmed.

Domain re-vetting

When a domain approaches the end of its validity period, its status is set to "Expiring". Also, the primary administrators and original requestor for the domain receive an email notification, prompting them to re-confirm ownership of the domain by initiating the re-vetting process. If you receive a notification, you should begin the process as soon as possible so that your domain does not expire.

Note: If you do not want to renew the domain, select the Decline option. You will not receive any further reminders about the domain until it expires.

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. On the Domains page, click the domain name (its status will be "Expiring").
  3. On the Domain Details page, select a "confirmation of control" method to validate and initiate the re-vetting of your domain. You can initiate an automated confirmation by selecting the email address where the confirmation request will be sent. If you are not the owner of any of the email addresses listed, you can select the Manually validate option and the Trend Micro SSL vetting team will confirm the domain control manually. This will delay issuance until the domain control has been confirmed. Click Re-Confirm.

    Note: By default, the vetting option used to originally add the domain will be selected. However, if the domain was originally vetted using an administrative email address, and that email address is no longer in the whois database, no default will be selected.

  4. If you selected an email address, a confirmation email will be sent to the address. If you selected the Manually validate option, the Trend Micro Vetting Team will begin the re-vetting process. The status of the domain is listed as “Re-vetting”.

If the vetting is completed successfully, its domain status will be "Ready". If the vetting is denied or fails, the domain status will be "Expiring". If the re-vetting is not completed before the domain expires, the status will be "Expired".

Delete a domain

You can remove a domain from the list unless it is part of a pending certificate request. Be careful when deleting domains because this operation cannot be undone. You will need to have the domain re-validated to add it back into your list of available domains.

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. On the Domains page, select the checkbox next to the domain that you want to delete and click Delete.
  3. Read the confirmation message that appears and click OK. A notification about the deletion is added to the Notifications page and is also emailed to the Primary Administrator for the organization profile.

Export a list of domains

You can export a comma-separated report (CSV file) that lists of domains. You can then open the CSV file in a spreadsheet.

  1. Click the Certificates tab at the top of the page and then click the Domains tab.
  2. Display the domains that you want to include in the CSV file. The CSV file will include all of the domains that are displayed in the table.
  3. Click Export. The Domains.csv file is saved to your computer.
  4.  

    Using the Certificate Discovery Tool

    You can use the Certificate Discovery Tool to find any certificates that you have deployed to your servers. This tool reports on certificates issued by Trend Micro and certificates from other certificate authorities. The Certificate Discovery Tool provides an insight into the state of your SSL environment and highlights problems such as self-signed and expiring certificates that you should replace. The Certificate Discovery tool also provides warnings when it discovers SHA-1 certificates, which are scheduled to be deprecated by most browsers. For more information, see About hash algorithms.

    Before running a scan

    The Certificate Discovery Tool runs as a Java Webstart program, so in order to use it, you must have Java installed on your computer and enabled in your browser.

    Because the Certificate Discovery Tool will run from your computer, the system will appear to be scanning for SSL certificates from your local IP address. Before running the scan, you may want to provide your network security team with the IP address of the computer you will use to run the scan and the date and time that you plan to run it.

    Run a scan

    Do not shut down, sleep, or hibernate your computer while running a scan or you will end up with incomplete scanning results. If you have a big network, you may want to split the scan into several smaller scanning blocks and select the Merge scan results with previously saved results option to create a list of all of your certificates.

    1. Go to the main Certificates tab and then click the Discovery Tool sub-tab.
    2. If you have run the a scan before, the results of that scan are displayed. Click New Scan.
    3. On the Setup New Scan page, specify how the scan will be run:
      • Include Addresses: The IP addresses or FQDNs that you want to scan. Separate addresses with a comma, semi-colon, or new line. You can also specify an IP range using a "-" (for example, 192.168.12.0-192.168.13.255) or CIDR notation (for example, 192.168.12.0/23). The Certificate Discovery Tool can scan a maximum of 65,534 address and port number combinations. For example, if you choose to scan 50 addresses and two additional ports, that makes a total of 150 combinations.
      • Exclude Addresses: If you included a range of addresses to be scanned but want to exclude certain addresses within that range, specify them here. You can exclude individual IP addresses or FQDNs, or a range of addresses. For example, you could enter 10.64.44.1/24 in the Include Addresses box, and enter 10.64.44.1-10.64.44.20 here to exclude that part of the range from the scan.
      • Scan Additional Ports: By default, the Certificate Discovery Tool will scan port 443 for each of the addresses that you include. You can specify additional ports to be scanned, if required. However, adding ports will increase the amount of time and effort required to run the scan.
      • Scan Speed: "Normal" scan speed is recommended. The Certificate Discovery tool runs on your computer, and the faster it runs, the more resources it will consume. If your system is not busy with other tasks, you can choose "Fast". To consume fewer resources, choose "Slow".
      • Save Results: Specify whether you want to replace any existing scan results or merge the new results with the old ones. The Merge scan results with previously saved results option is useful when you want to perform several smaller scans and merge the results to create a complete list of your certificates. Tip: Select the Delete previous scan results and replace new results option about once a year to maintain a clean list of certificates.
    4. Click Run Scan. One or more message boxes will appear. If you are asked whether you want to allow the Certificate Discovery Tool to run, you should allow it.
    5. When the scan is complete, the scan results are displayed, listing this information for each certificate:
      • Addresses: IP address or FQDN where the certificate is installed
      • Port: Port used to install the certificate
      • Common Name: Common name of the server where the certificate is installed
      • Status: The possible statuses are:
        • Good: No problems were found with the certificate.
        • Expired: The certificate has expired.
        • Revoked: The certificate has been revoked.
        • Warning: There is a potential problem with the certificate. Check the Warning column in this table for details.
      • Expires: Date when the certificate will expire
      • Issued: Date when the certificate was issued

        Note: The certificate's issued time is set 10 minutes earlier than the actual issuing time, so it may occasionally appear as if a certificate was issued before it was requested. This is to allow for potential time synchronization issues that may occur between the CA, customer browsers, and your web servers.

      • Issuer: Certificate Authority that issued the certificate
      • Validation: The type of validation used to create the certificate, either EV or Non-EV. Trend Micro issues only EV and OV certificates, so if the Issuer is trend Micro CA and the Validation is Non-EV, then the certificate is OV. If the Issuer is another CA and the Validation is Non-EV, the certificate may be either OV or DV. DV certificates are not considered as secure as OV.
      • Key Type: Algorithm used for the key
      • Hash: Hash used for the certificate signature
      • Key Length: Key length of the certificate
      • Warnings: Displays warnings regarding potential problems found with the certificate. These are the warnings that could appear:
        • Key Length: The certificate key length is too short. The certificate should be replaced.
        • Weak Key: The certificate key is a weak key. The certificate should be replaced.
        • Crime: The site has the CRIME attack vulnerability.
        • Self-signed: The certificate is self-signed. It should be replaced.
        • Status Unknown: The Certificate Discovery Tool was not able to get the certificate status. Possible causes include no OCSP or CRL link provided, link not accessible, or a certificate error.
        • Expiring: The certificate will expire within 30 days. The certificate should be replaced before it expires.
      • Last Scan: Date when the certificate discovery scan was performed
    6. You can click Export to export a comma-separated list of the scan results.

    7. Click Back to return to the main Certificate Discovery Tool page, which displays an overview of your last completed scan results:
      • Last Scan: Date and time when you last ran the Certificate Discovery Tool
      • Expiring/Expired: Number of certificate that have expired or will expire soon
      • Scan Results: Either "Merged" or "New", depending on whether the Merge scan results with previously saved results or Delete previous scan results and replace new results option was selected for the last scan.
      • Warnings: Number of certificates that have potential problems, such as being expired or self-signed
      • Certificates Found: Total number of certificates found by the Certificate Discovery Tool
      • Trend Micro Certificates: Number of certificates that were issued by Trend Micro
      • Certificates by Expiration: Chart showing when certificates will expire
      • Certificates by Key Length: Chart showing key lengths of certificates
      • Certificates by CA: Chart showing number of certificates issued by each certificate authority

     

    Reporting

    The Trend Micro SSL portal provides the ability to generate reports about the certificates or domains associated with your account.

    Note: You can create a maximum of 20 reports for your account.

    Add a report

    1. Go to the main Certificates tab and then click the Reporting sub-tab. The Reports page lists reports for all of the web applications that you administer.
    2. Click New Report.
    3. Enter this information on the "Create New Report" page and then click Continue:
      • Report Type: Select the type of report that you want to run: Certificate or Domain.
      • Report Name: Enter a name for the report, which will be listed in the list of reports.
      • Description: Add an optional brief description of the report that will help you to identify it in the list of reports.
    4. On the "Fields Included in Report" page, select the fields that you want to include in the report. Use the arrows between the two columns to move fields from one column to the other. Fields listed in the Selected Fields column will be included in the report. Use the arrows to the right of the Selected Fields column to change the order in which those fields will appear in the report. Click Continue.
    5. On the "Records Included in Report" page, you can filter the records that will be included in the report and specify how the report will be sorted:
      • To filter the set of records that are included in the report, add Record Selection Rules. To define a rule, select a field (such as "Status") from the first drop-down list. In the second drop-down list, select the condition (such as "is") that must be met. In the third control that appears, select or enter the search value (in this example, click hand icon and select a Status, such as "Expiring"). To add another rule, click green plus icon. In the list the appears, select either "AND" (meaning that both rules must be matched) or "OR" (meaning that records are returned if they match either rule), then define the additional rule.
      • In the Sort Records by Field area, specify which fields will be used for the sort order (Ascending or Descending).
    6. Click Continue.
    7. On the "Schedule Report" page, you can set a schedule to generate this report on a recurring basis. Setting a schedule is optional. To schedule a report, enter this information:
      • Schedule: Select how often you want to generate the report (Daily, Weekly, Monthly). By default, the schedule is set to "Disabled" and reports are not scheduled.
      • Start Date: Date when the first report will be generated.
      • Start Time: Time (in 24-hour clock format) when the first report will be generated
      • Recipients: Add a list of recipients who will receive the reports by entering their email addresses in the text box provided. Separate multiple email addresses with spaces, commas, semi-colons, or new lines.
    8. Click OK. The new report appears on the Reports page.

    Run a report

    1. Click the Reporting tab.
    2. Select the checkbox next to the report that you want to run and then click Run Report.
    3. The next page shows the report results. You can use the controls at the top of the page to narrow the records that are returned. A maximum of 100 records are displayed.
    4. To export the report, click Export. A maximum of 2000 records will be included in the report.
    5. Click Yes in the confirmation message that appears. You will be prompted to open or save the .CSV file when it is ready.

    Edit a report

    1. Click the Reporting tab.
    2. Click the name of the report that you want to edit.
    3. Edit the report as described in Add a report, above.

    Remove a report

    1. Click the Reporting tab.
    2. Select the checkbox next to the report that you want to remove and then click Delete Report.
    3. A confirmation message appears. Click Yes.

       

      Updating administration settings

      Manage your organization profiles

      Your company may have more than one organization that requires its own certificates and administrators, such as different country divisions. Global Administrators can create separate organization profiles for those organizations.

      The company information that you entered when you activated the account is used to create the first organization profile, in a Pending status.

      Note: You cannot delete organization profiles from your account.

      To see a list of the organization profiles defined for your account:

      1. Go to the Administration tab and then click the Profiles tab.
      2. By default, the organization profiles are sorted by profile name. There are three ways that you can filter the list of organization profiles:
        • Click a column heading to sort the table based on the data in that column.
        • Perform a search on all text in the table. In the box in the upper-right corner of the tab, enter the search string in the search field and click magnifying glass icon.
        • Use the Filter by Status drop-down list to display only profiles with a particular Status.
        • Note: Table sorting and filtering is maintained until the next time you sign in to the portal.

      3. The Organization Profiles page lists the following information for each profile. Global Administrators can see all organization profiles defined for the account. Other administrators can only see the organization profiles for which they have access permission.
        • Profile Name: "Friendly" name for the organization profile
        • Organization Name: Official name of the organization
        • Locality: City or locality where the organization is located
        • State/Province: State or province where the organization is located
        • Country: Country where the organization is located. Note: If the country is Japan, an additional field displays the Japanese organization name.
        • Type: Vetting level of the organization profile, which can be either OV or EV. Global and Primary administrators can request an upgrade of an OV organization profile to EV by clicking the "Up" arrow next to OV in the Type column.
        • Status: These are the possible organization profile statuses:
          • Pending: The request for an OV profile has been submitted but has not been vetted and approved yet. You cannot use this profile to order certificates.
          • Ready: The OV or EV profile has been vetted and is ready for use. You can use this profile to order certificates at the appropriate level.
          • Upgrading: The request for an upgrade to EV has been received, but vetting has not been completed yet. You can continue to use this profile to order OV certificates while the EV vetting is being completed.
          • Suspended: The organization profile has been suspended and cannot be used. You cannot use this profile to order certificates.
          • Re-vetting: The re-vetting process is underway but has not been completed yet. You can use this profile to order certificates at the appropriate level.
          • Expiring: The OV or EV profile is about to expire. You can use this profile to order certificates at the appropriate level.
          • Expired: The OV profile has expired and cannot be used. You cannot use this profile to order certificates.
          • Declined: The OV or EV profile could not be vetted and cannot be used. You cannot use this profile to order certificates.
        • Created: Date when the organization profile was created
        • Expires: Date when the organization profile will expire
        • Re-Vetting: Date when the organization profile will be eligible for re-vetting

      Add an organization profile

      All new organization profiles are vetted to the OV level. If you want an EV-level organization profile, first obtain an OV organization profile and then request an upgrade to EV.

      1. Go to the Administration tab and then click the Profiles tab.
      2. Click Add.
      3. On the Add New Organization Profile Page, enter the following information in the in the top section of the page. Please make sure the information that you enter is accurate because the Trend Micro SSL vetting team will use when verifying your organization:
        • Profile Name: "Friendly" name for the organization profile
        • Country: Select a country from the list. Note: If you select "Japan", an additional field is displayed, where you can enter a Japanese organization name.
        • Organization Name: Official name of the organization
        • Address 1: Address where the organization is located
        • Address 2: Optional second line of address
        • City/Locality: City or locality where the organization is located
        • State: State or province where the organization is located
        • Zip/Postal Code: Zip or Postal code for the organization
        • Phone Number: Main telephone number for the organization
        • Fax Number: Optional fax number for the organization
      4. In the Administrator Access area, you, as the requester, are automatically added as a Primary Administrator for the organization profile. You can specify which administrators can access this profile, and what administrator level they are. Each organization profile must have at least one Primary Administrator. Primary Administrators can request that the organization profile be upgraded from OV to EV. They can create and approve certificate requests for the organization profile. They can also revoke certificates and mark certificates as unused. Primary Administrators also receive notifications for the organization profile. Standard Administrators cannot make changes to the organization profile. They can create certificate requests for the organization profile and can approve certificate requests if Allow Standard Administrators to approve certificate requests is enabled. They can also revoke certificates and mark certificates as unused if Allow Standard Administrators to revoke certificates or set certificates as unused is enabled.

        To add a Primary administrator, select a name from the list on the left and click the arrow to add it to the Profile Primary Administrators list on the right. To add a Standard administration, select a name from the list on the left and click the arrow to add it to the Profile Standard Administrators list on the right.

        To remove an administrator's access to the profile, select their name from the list on the right and click the arrow to move it to the Administrators without Profile access list. Each organization profile must have at least one Primary Administrator, so you cannot delete an administrator if they are the only Primary Administrator for an organization.

        Note: You cannot edit the Administrator Access while the organization profile is in a "Pending" state.

      5. In the Policies area, select any of these options that you want to apply to the profile:
        • Make this profile available in the certificate request portal: Allows non-administrators to use the Certificate Request Portal to request certificates for this profile. (See Enable and configure the Certificate Request Portal for additional information).
        • Allow Standard Administrators to approve certificate requests: Primary administrators can approve certificate requests. If you select this option, Standard administrators can also approve certificate requests for this profile.
        • Allow Standard Administrators to revoke certificates or set certificates as unused: Primary administrators can revoke certificates and mark certificates as unused. If you select this option, Standard administrators can also perform those actions for certificates created for this profile.
      6. In the Notifications area, you can edit these settings:
        • Language to use for notifications: Select either English or Japanese as the language to use for notifications messages.
        • Include the Primary Administrators on all informational notifications: All Primary Administrators for your organization profile will receive all critical notification email messages for the organization profile. If you want the Primary Administrators to also receive all informational notification email messages for the organization profile, select the Include the Primary Administrators on all informational notifications option. This option is selected by default for new organization profiles.
        • Certificate Notifications: Select when you want to be notified of certificates that are about to expire. A notification is also sent the day before and on the day a certificate expires. By default, the certificate requester will receive notifications. If you also want the certificate approver to receive the notifications, select Copy certificate request approver on certificate notifications. You can add other notification recipients by entering their email addresses in the text box provided. Separate multiple email addresses with spaces, commas, semi-colons, or new lines.
        • Domain Notifications: Domain notifications are sent for actions such as adding new domains, domain vetting completion, and warnings when domains are about to expire. By default, the domain requester and all primary administrators will receive notifications. You can add other notification recipients by entering their email addresses in the text box provided. Separate multiple email addresses with spaces, commas, semi-colons, or new lines.
      7. Click Add. A notification message appears, stating that the organization profile has been created. Click OK.

      The status of the organization profile will be Pending " until it has been vetted by the Trend Micro SSL vetting team. Once it has been validated to the OV level, the status changes to "Ready" and you can begin to request OV certificates for the profile. At that point, you can also request an upgrade of the organization profile from OV to EV, if you want to be able to request EV certificates for it. (See About OV and EV certificates and Upgrade an organization profile to issue EV certificates.)

      Edit an organization profile

      1. Go to the Administration tab and then click the Profiles tab.
      2. Click a Profile Name to open the Edit Organization Profile page.
      3. You can edit:
        • In the Organization Information area, you can edit the Profile Name (friendly name) of the organization profile.
        • If the organization profile has undergone vetting to the OV level, you can click Request EV to request that the organization profile be upgraded so that it can be used to obtain EV certificates. (See Upgrade an organization profile to issue EV certificates for details.)
        • If you have already requested an upgrade to EV, the EV Contacts area contains information about the EV Requester and EV Contract Signer, as well as the date and time that the request was submitted and when it was approved by the contract signer. If the request has not been approved yet, you can click Cancel to cancel the request or Resend to send another approval email to the contract signer.
        • In the Administrator Access area, you, as the requester, are automatically added as a Primary Administrator for the organization profile. You can specify which administrators can access this profile, and what administrator level they are. Each organization profile must have at least one Primary Administrator. Primary Administrators can request that the organization profile be upgraded from OV to EV. They can create and approve certificate requests for the organization profile. They can also revoke certificates and mark certificates as unused. Primary Administrators also receive notifications for the organization profile. Standard Administrators cannot make changes to the organization profile. They can create certificate requests for the organization profile and can approve certificate requests if Allow Standard Administrators to approve certificate requests is enabled. They can also revoke certificates and mark certificates as unused if Allow Standard Administrators to revoke certificates or set certificates as unused is enabled.

          To add a Primary administrator, select a name from the list on the left and click the arrow to add it to the Profile Primary Administrators list on the right. To add a Standard administration, select a name from the list on the left and click the arrow to add it to the Profile Standard Administrators list on the right.

          To remove an administrator's access to the profile, select their name from the list on the right and click the arrow to move it to the Administrators without Profile access list. Each organization profile must have at least one Primary Administrator, so you cannot delete an administrator if they are the only Primary Administrator for an organization.

          Note: You cannot edit the Administrator Access while the organization profile is in a "Pending" state.

        • In the Policies area, select any of these options that you want to apply to the profile:
          • Make this profile available in the certificate request portal: Allows non-administrators to use the Certificate Request Portal to request certificates for this profile. (See Enable and configure the Certificate Request Portal for additional information).
          • Allow Standard Administrators to approve certificate requests: Primary administrators can approve certificate requests. If you select this option, Standard administrators can also approve certificate requests for this profile.
          • Allow Standard Administrators to revoke certificates or set certificates as unused: Primary administrators can revoke certificates and mark certificates as unused. If you select this option, Standard administrators can also perform those actions for certificates created for this profile.
        • In the Notifications area, you can edit these settings:
          • Language to use for notifications: Select either English or Japanese as the language to use for notifications messages.
          • Include the Primary Administrators on all informational notifications: All Primary Administrators for your organization profile will receive all critical notification email messages for the organization profile. If you want the Primary Administrators to also receive all informational notification email messages for the organization profile, select the Include the Primary Administrators on all informational notifications option. This option is selected by default for new organization profiles.
          • Certificate Notifications: Select when you want to be notified of certificates that are about to expire. A notification is also sent the day before and on the day a certificate expires. By default, the certificate requester will receive notifications. If you also want the certificate approver to receive the notifications, select Copy certificate request approver on certificate notifications. You can add other notification recipients by entering their email addresses in the text box provided. Separate multiple email addresses with spaces, commas, semi-colons, or new lines.
          • Domain Notifications: Domain notifications are sent for actions such as adding new domains, domain vetting completion, and warnings when domains are about to expire. By default, the domain requester and all primary administrators will receive notifications. You can add other notification recipients by entering their email addresses in the text box provided. Separate multiple email addresses with spaces, commas, semi-colons, or new lines.
      4. Click Update.

      Upgrade an organization profile to issue EV certificates

      After you add an organization profile to your account, it is vetted to the OV level, which enables you to obtain OV certificates. You can choose to upgrade your organization profile to also issue EV certificates. Only Global and Primary administrators can request a profile upgrade.

      EV certificates go through the strictest authentication standards of any SSL certificate. Extended Validation verification guidelines, created by an independent body, require Trend Micro SSL to obtain and verify multiple pieces of identifying information about the Organization and Organization Contacts listed in the account setup. When users visit sites secured with EV certificates, their browser address bar turns green.

      1. Go to the Administration tab and then click the Profiles tab.
      2. Profiles that are eligible for upgrade have a Type that is OV and a Status that is Ready. Click the "up arrow" next to the OV Type for the profile that you want to upgrade.
      3. On the page the appears, review the organization information listed. Please ensure that it is correct because the Trend Micro SSL vetting team will use this information in the vetting process. If the information is incorrect, please contact Trend Micro SSL support to have it corrected. Click Continue.
      4. On the Certificate Requester/Approver page, review the contact information of the person who will be responsible for the requesting and approval of EV certificates for this account. Once an account is upgraded to EV, any administrator may request an EV certificate but the “Certificate Requester/Approver” will be deemed the final authority if Trend Micro SSL requires any additional information related to the request. Fill in the information about your place of business or select Same as Organization address and click Continue.
      5. On the Contact Signer page, enter the contact information of the person who has the authority to upgrade this account to EV. Fill in the information about your the contract signer's place of business or select Same as Organization Address or Same as Certificate Requester/Approver Address. Click Continue.
      6. Review the information on the Confirmation page and click Approve. Click OK on the confirmation message that appears.
      7. The contract signer will receive an email that they can use to review and approve the Trend Micro SSL Extended Validation Terms of Service. After the Terms of Service have been accepted, the Trend Micro SSL vetting team will perform the EV-level vetting required for the organization and for any domains that you requested for upgrade to EV. While the vetting is in progress, the Status of the organization profile is Pending. When it is complete, you will receive an email message and the Status of the organization profile will change to Ready and the Type to EV.

      If you need to cancel the upgrade request or resend the email to the contract signer, you can do so from the Profiles page. (See Edit an organization profile.)

      Export a list of organization profiles

      You can export a comma-separated report (CSV file) that lists of organization profiles. You can then open the CSV file in a spreadsheet.

      1. Go to the Administration tab and then click the Profiles tab.
      2. Display the organization profiles that you want to include in the CSV file. The CSV file will include all of the profiles that are displayed in the table.
      3. Click Export. The Profiles.csv file is saved to your computer.

Enable and configure the certificate request portal

The Certificate Request Portal enables non-administrators who cannot sign in to Trend Micro SSL to use a web page to request certificates. This is especially useful if some of your IT services are handled by an outside company. Those users can request a certificate, but the request must still be approved by an internal administrator - either a Primary administrator or a Standard administrator, depending on the permissions set for the organization profile. You can also customize the look of the Certificate Request portal.

  1. Go to the Administration tab and then click the Request Portal tab.
  2. In the Contact Email box, provide an email address that Certificate Request Portal users can contact in case they have questions or problems.
  3. Click Enable. A confirmation message appears, displaying the URL of the Certificate Request Portal. Click OK.
  4. The Portal URL box displays the URL where users can find the Certificate Request Portal. Click Try Now at any time to see the portal.
  5. You can customize the look of the portal by changing the Header String displayed at the top of the portal. If you want to use your own logo instead of the Trend Micro logo, select Use your logo and click Upload to select the image file. The logo must be a JPG or PNG file that will display in a 300 x 35 pixel box.
  6. To increase security on the Certificate Request Portal, select Enable email address domain filtering and enter a list of email address domains for users who are allowed to use the portal. We also recommend that you select the Require Captcha for certificate request portal access checkbox. When both of these measures are enabled, users will sign in to the portal using their email address and will type a captcha to avoid scripted attacks.
  7. Click Update.

Viewing notifications

Notification messages are created when certain events happen with your account, such as adding a new domain. Important notifications are emailed to the account’s Primary Administrators, and all notifications are displayed on the Notifications in the Trend Micro SSL portal.

  1. Go to the Administration tab and then click the Notfications tab.
  2. In the Show list, select whether to display notifications for the last 30, 60, or 90 days. You can only see notifications regarding organization profiles for which you are an administrator.
  3. By default, the notifications are listed by date, with the newest notifications at the top of the list. You can change the sort order by clicking any of the column headings.

    When the notification is regarding a certificate, the Profile column displays the Organization Profile for which the certificate was issued. If the notification is a general account notification, the Profile is blank.

    There are two priority levels for notifications:

    Informational icon Informational notifications let you know when there have been changes to the account.

    Critical icon High-priority notifications that provide warnings, such as when a certificate is about to expire.

  4. To see details about a notification, click the Subject of the notification. The Notification Details page appears.

Manage your account's administrators

Your company's account can (and should) have more than one administrator. These are the types of administrators that you must assign to your account:

Global Administrator: These administrators have full account privileges. They can add, modify, and remove administrators. They can also add and modify organization profiles. Only Global Administrators can enable, disable, and modify the Certificate Request Portal. The person who activated your company's account was added as a Global Administrator.

Certificate Administrator: These administrators cannot add, modify, or remove administrators and they cannot add organization profiles. Each organization profile will have its own set of Certificate Administrators. An administrator's privileges within the organization profile depend on which type of Certificate Administrator they are in that organization - Primary Administrator or Standard Administrator:

  • Primary Administrator: Each organization profile must have at least one Primary Administrator. Primary Administrators can request that the organization profile be upgraded from OV to EV. They can create and approve certificate requests for the organization profile. They can also revoke certificates and mark certificates as unused. Primary Administrators also receive notifications for the organization profile.
  • Standard Administrator: Standard Administrators cannot make changes to the organization profile. They can create certificate requests for the organization profile and can approve certificate requests if Allow Standard Administrators to approve certificate requests is enabled for the organization profile. They can also revoke certificates and mark certificates as unused if Allow Standard Administrators to revoke certificates or set certificates as unused is enabled for the organization profile.

Note: Someone may be one type of administrator for a profile, and a different type of administrator (or have no administrator privileges) for another.

View a list of account administrators

  1. Go to the Administration tab and then click the Administrators tab.
  2. The Administrators page appears, displaying a list of administrator names, their email addresses, and statuses. These are the statuses that may appear in the Status column:
    • Active: The administrator has completed the email confirmation and enrollment.
    • Pending: The administrator has been added but has not completed the email confirmation and enrollment.

Add an administrator

  1. Go to the Administration tab and then click the Administrators tab.
  2. On the Administrator page, click Add. The Add New Administrator page appears.
  3. Fill the fields in the Contact Information area.
  4. Click Role and Permissions.
  5. Select an Administrator Role, either Global Administrator or Certificate Administrator. The differences between Global and Certificate Administrators are described in the "Manage your account's administrators", above.
  6. Specify which organization profiles the administrator will be able to access:
    • Click the Profiles button. The Organization Profile access page appears.
    • Each of the organization profiles associated with your account is listed on this page. To give the administrator access to an organization profile, click the Add button for that profile. In the Role list, select either Primary Administrator or Standard Administrator.
    • You can specify access rights and a role for each of the organization profiles. To remove access to an organization profile, click the Remove button for that profile.
    • Click Update to save the changes.
  7. Click Add. The status of the administrator is listed as “Pending” until the recipient clicks the link and completes their setup. (See Complete an administrator setup for details.)

Edit an administrator

  1. Go to the Administration tab and then click the Administrators tab.
  2. On the Administrator page, click the name of the administrator that you want to edit. The Edit Administrator page appears.
  3. You can edit the administrator's contact information, administrator type, and organization profile access as described in Add an administrator, above. You cannot edit the administrator's email address.
  4. Click Update.

Delete an administrator

Be careful when deleting administrators because this operation cannot be undone. Each organization profile must have at least one Primary Administrator, so you cannot delete an administrator if they are the only Primary Administrator for an organization.

  1. Go to the Administration tab and then click the Administrators tab.
  2. On the Administrator page, select the checkbox next to the administrator that you want to delete and then click Delete.
  3. Read the confirmation message that appears and click OK.

Export a list of administrators

You can export a comma-separated report (CSV file) that lists administrators. You can then open the CSV file in a spreadsheet.

  1. Go to the Administration tab and then click the Administrators tab.
  2. Click Export. The Administrators.csv file is saved to your computer.

Change your password

  1. Go to the Administration tab and then click the My Preferences tab.
  2. In the Change Password section, enter your current password, and then enter and re-enter your new password. Your password must be at least 8 characters long and must contain at least one of each of these types of characters:
    • numeric (for example, 1, 2, 3...)
    • alphabetic (for example, a, B, c...)
    • symbols (for example, #, $, !...)
  3. Click Update.

If you forget your password, you can set it using the instructions in Reset your password.

Update your contact information

  1. Go to the Administration tab and then click the My Preferences tab.
  2. Update your contact information and then click Update. Note that you cannot change your email address.

View information about your account and subscriptions

  1. Go to the Administration tab and then click the Account tab.
  2. The Account tab displays general information about your account, along with information about your Trend SSL product subscriptions.

    You can also use the Account tab to adjust the time zone for your account. This time zone will be used for the date and time values shown in email notifications for your account, such as certificate expiration dates and times.