Replace the Deep Security Manager TLS certificate

During installation, Deep Security Manager automatically generates a self-signed X.509 certificate so that you can use TLS during your first connection to the console. Because web browsers do not know this self-signing certificate authority (CA), they cannot validate the certificate's signature, and therefore do not automatically trust it. The browser displays a security alert and asks you to manually validate the certificate in order to connect. To avoid this every time an administrator connects, you can replace this default certificate with a certificate from a trusted CA.

WARNING

If you replace the default certificate with an invalid certificate or with the one that has an incomplete certificate signing chain, then you cannot connect to the Deep Security Manager console until you correct it. Before replacing the certificate, carefully read the instructions.

Note

The certificates are kept when you upgrade Deep Security Manager. You do not need to upload them again.

To replace the certificate, do one of the following:

Request a new certificate for the Deep Security Manager domain name
1. If FIPS mode is enabled (see FIPS 140 support), then disable FIPS mode before you begin to replace the certificate.
2. Generate the private key and Java keystore.
3. Request a signed certificate (CSR).
4. Import the signed certificate into the keystore.
5. Configure Deep Security to use the new keystore.
6. If you disabled FIPS mode in the first step, re-enable FIPS mode now.
Use an existing Java keystore file or certificate

If you have a certificate file backup from a previous installation, or if you already have a certificate because you use the same certificate for multiple domain names (a wildcard certificate such as *.example.com, or a multiple-domain/Subject Alternative Name (SAN) field certificate), then you can use it instead.
1. If FIPS mode is enabled (see FIPS 140 support), then disable FIPS mode before you begin to replace the certificate.
2. Verify that you have the complete certificate signing chain. If necessary, ask the CA that issued your certificate.
3. Configure Deep Security to use the new keystore.
4. If you disabled FIPS mode in the first step, re-enable FIPS mode now.

Generate the private key and Java keystore

Many public and private CAs have a website that can generate a public and private key pair and certificate signing request (CSR) at the same time. For example, you can generate the key pair and CSR at the same time in Microsoft Active Directory or an openssl CA, and then download and import the PKCS #12 file with both the signed certificate and private key into the Java keystore.

If you want to do that, then skip the next steps and Request a signed certificate (CSR), and then continue with Import the signed certificate into the keystore. Otherwise, use these steps to locally generate the files.

On the computer where Deep Security Manager is running, open a command prompt as an administrator.

Enter the commands to generate a new private key and keystore file.

In the following command example, the keystore entry (alias) for the new private key is named tomcat.

Note

A certificate's Common Name (CN) or Subject Alternative Name (SAN) field often must be different from the domain name that appears in your browser's location bar.

For example, the URL in your browser's location bar might show https://dsm2.infosec.example.com, but you want to use the same certificate for all of your Deep Security Manager nodes, so you make a wild card certificate with the common name (CN) *.infosec.example.com.

Linux:

cd /opt/dsm/jre/bin 
keytool -genkey \ 
-alias tomcat \ 
-keystore ~/.keystore \ 
-keyalg RSA \ 
-validity 365 \ 
-keysize 2048 \ 
-dname "cn=dsm.example.com, ou=IT, o=Trend Micro, l=Ottawa, s=Ontario, c=CA"

Windows:

cd "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin" 
keytool -genkey ^ 
-alias tomcat ^ 
-keystore C:\Users\Administrator\.keystore ^ 
-keyalg RSA ^ 
-validity 365 ^ 
-keysize 2048 ^ 
-dname "cn=dsm.example.com, ou=IT, o=Trend Micro, l=Ottawa, s=Ontario, c=CA"

Note

The example command uses Command Prompt (cmd.exe) syntax. If you use PowerShell instead, then replace the carrets (^) with backticks (`).

For more information about the keytool command, see the Java keytool documentation.

Enter a password that Deep Security Manager will use to access the keystore. In the example commands, this is shown as YOUR_PASSWORD.
Enter the command to export the keystore in PKCS #12 format.

In this command example, the name of the exported file is .YOUR_PKCS12_EXPORTED_KEYSTORE.
- Linux:
```
keytool -importkeystore \ 
-srckeystore ~/.keystore \ 
-destkeystore ~/.YOUR_PKCS12_EXPORTED_KEYSTORE \ 
-deststoretype pkcs12
```
- Windows:
```
keytool -importkeystore ^ 
-srckeystore C:\Users\Administrator\.keystore ^ 
-destkeystore "C:\Users\Administrator\.YOUR_PKCS12_EXPORTED_KEYSTORE" ^ 
-deststoretype pkcs12 
```
When prompted, enter a new password for the exported (destination) keystore, and then the password for the original (source) keystore.
Continue with Request a signed certificate (CSR).

Request a signed certificate (CSR)

Certificate signing request (CSR) files contain your unsigned certificate and public key. Ask a CA that your web browser trusts to sign it. The CA that signs your certificate can be either a root CA that is directly trusted by web browsers, or any intermediary CA that is directly or indirectly trusted by a root CA.

Enter the command to use the PKCS #12 file to generate a CSR file.

You can create a multiple-domain/Subject Alternative Name (SAN) certificate by specifying matching domain names and/or IP addresses in the san= field of the -ext extension parameter. If you don't need a SAN certificate, then omit the -ext parameter.

For a multiple-domain/SAN certificate, browsers should ignore the CN field when validating the connection. Instead they use the SAN field that contains the comma-separated list of matching domain names and IP addresses. Required syntax is shown in the example command.
- Linux:
```
keytool -certreq \ 
-alias tomcat \ 
-keystore ~/.YOUR_PKCS12_EXPORTED_KEYSTORE \ 
-file YOUR_CSR.csr \ 
-keyalg RSA \ 
-ext san=dns:dsm.example.com,dns:*.example.org,ip:10.10.10.5 
```
- Windows:
```
keytool -certreq ^ 
-alias tomcat ^ 
-keystore C:\Users\Administrator\.YOUR_PKCS12_EXPORTED_KEYSTORE ^ 
-file YOUR_CSR.csr ^ 
-keyalg RSA ^ 
-ext san=dns:dsm.example.com,dns:*.example.org,ip:10.10.10.5 
```
Upload the CSR file to your CA. When the request has been processed, download the signed certificate file.
If you used an intermediary CA, and if your certificate is not in PKCS #7 format (it does not contain the signing chain), then also download the CA certificate and the certificates of all other CAs (if any) between it and the root CA.
Continue with Import the signed certificate into the keystore.

Import the signed certificate into the keystore

Note

Browsers use the list of CA signatures that is added to the certificate (signing chain/chain of trust), to validate the certificate and determine if it is safe for you to connect. It evaluates each CA certificate in order. You must import all of the CA certificates in the correct order, as shown in the following instructions.

If the list of signatures is not in order, then web browsers cannot validate your certificate, and will block the connections to the console until you correct it.

If the root CA is already in the keystore, skip this step. Otherwise enter the command to import it.
Tip

If you don't know what is in the keystore, you can view the contents:

keytool -list -v
In this command example, the certificates are in .crt format and the keystore entry (alias) for the root CA is named rootCA.
- Linux:
```
keytool -import \ 
-alias rootCA \ 
-file ~/YOUR_ROOT_CA.crt \ 
-keystore ~/.YOUR_PKCS12_EXPORTED_KEYSTORE \ 
-storepass YOUR_PASSWORD 
```
- Windows:
```
keytool -import ^ 
-alias rootCA ^ 
-file c:\Users\Administrator\YOUR_ROOT_CA.crt ^ 
-keystore c:\Users\Administrator\.YOUR_PKCS12_EXPORTED_KEYSTORE ^ 
-storepass YOUR_PASSWORD 
```

If your intermediary CAs (if any) are already in the keystore, skip this step. Otherwise enter the commands to import them. Start with the one that was signed by the root CA, and end with the one that signed your certificate.

Linux:

keytool -import \ 
-alias intermediateCA \ 
-trustcacerts \ 
-file ~/YOUR_INTERMEDIARY_CA.crt \ 
-keystore ~/.YOUR_PKCS12_EXPORTED_KEYSTORE \ 
-storepass YOUR_PASSWORD

Windows:

keytool -import ^ 
-alias intermediateCA ^ 
-trustcacerts ^ 
-file c:\Users\Administrator\YOUR_INTERMEDIARY_CA.crt ^ 
-keystore c:\Users\Administrator\.YOUR_PKCS12_EXPORTED_KEYSTORE ^ 
-storepass YOUR_PASSWORD

Enter the command to import your signed certificate.

Linux:

keytool -import \ 
-alias tomcat \ 
-trustcacerts \ 
-file ~/YOUR_SIGNED_CERTIFICATE.crt \ 
-keystore ~/.YOUR_PKCS12_EXPORTED_KEYSTORE \ 
-storepass YOUR_PASSWORD

Windows:

keytool -import ^ 
-alias tomcat ^ 
-trustcacerts ^ 
-file c:\Users\Administrator\YOUR_SIGNED_CERTIFICATE.crt ^ 
-keystore c:\Users\Administrator\.YOUR_PKCS12_EXPORTED_KEYSTORE ^ 
-storepass YOUR_PASSWORD

If the import is successful, then this message appears:

Certificate reply was installed in keystore

Continue with Configure Deep Security to use the new keystore.

Configure Deep Security Manager to use the keystore

Enter the commands to back up the configuration and old keystore files, replace the keystore file, and then update the keystore password:

Linux:

cp /opt/dsm/configuration.properties /opt/dsm/configuration.properties.bak 
cp /opt/dsm/.keystore /opt/dsm/.keystore.bak 
cp ~/.YOUR_PKCS12_EXPORTED_KEYSTORE /opt/dsm/.keystore

Windows:

copy "C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties" 
      "C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties.bak" 
copy "C:\Program Files\Trend Micro\Deep Security Manager\.keystore" 
      "C:\Program Files\Trend Micro\Deep Security Manager\.keystore.bak" 
copy "c:\Users\Administrator\.YOUR_PKCS12_EXPORTED_KEYSTORE" 
      "C:\Program Files\Trend Micro\Deep Security Manager\.keystore"

Note

You must overwrite the default keystore file in its original location. Don't configure the path to point to a new filename or different location instead. Deep Security Manager upgrades do not keep keystore path changes, and this will undo the change.

In a plaintext editor, open the configuration.properties file and update the keystore password setting:
```
keystorePass=YOUR_PASSWORD
```
Restart the Deep Security Manager service.
To verify that the manager now uses the new certificate, open a web browser and connect to the Deep Security Manager console. Click the padlock icon in the location bar and examine the certificate details such as its fingerprint (SHA-256 signature).

Regenerate self-signed certificates in Deep Security Manager (summary)

Before regenerating a self-signed certificate, you need to backup the old .keystore by executing the following commands:

Linux:

cp /opt/dsm/configuration.properties
                     /opt/dsm/configuration.properties.bak

cp /opt/dsm/.keystore /opt/dsm/.keystore.bak

Windows:

copy "C:\Program Files\Trend Micro\Deep Security
                     Manager\configuration.properties" "C:\Program Files\Trend Micro\Deep Security
                     Manager\configuration.properties.bak"

copy "C:\Program Files\Trend Micro\Deep Security Manager\.keystore" "C:\Program
                     Files\Trend Micro\Deep Security Manager\.keystore.bak"

Create a new .keystore, as follows:

Linux:
1. On the computer where Deep Security Manager is installed, open the command prompt as an administrator and navigate to the /opt/dsm/jre/bin directory.
2. Execute the following command, replacing the cn value to match your Deep Security Manager:
  
  keytool -genkey -alias tomcat -keystore ~/.keystore -keyalg RSA -validity 365 -keysize 2048 -dname "cn=dsm.example.com, ou=IT, o=Trend Micro, l=Ottawa, s=Ontario, c=CA"
3. When prompted, enter a password that you will later set in the /opt/dsm/configuration.properties file for the keystorePass value.
4. When prompted, enter a key password for tomcat or press Enter to have the same key as the keystore file.
5. Copy the new keystore to the correct location by executing the following command: cp ~/.keystore /opt/dsm/.keystore
6. In the /opt/dsm/configuration.properties file, set the keystore password for the keystorePass value, and then save the file.
7. Restart Deep Security Manager.
8. Verify that the browser can validate the certificate.
Windows:
1. On the computer where Deep Security Manager is installed, open the command prompt as an administrator and navigate to the C:\Program Files\Trend Micro\Deep Security Manager\jre\bin directory.
2. Execute the following command, replacing the cn value to match your Deep Security Manager:
  
  keytool -genkey -alias tomcat -keystore C:\Users\Administrator\.keystore -keyalg RSA -validity 365 -keysize 2048 -dname "cn=dsm.example.com, ou=IT, o=Trend Micro, l=Ottawa, s=Ontario, c=CA"
3. When prompted, enter a password that you will later set in the C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties file for the keystorePass value.
4. When prompted, enter a key password for tomcat or press Enter to have the same key as the keystore file.
5. Copy the new keystore to the correct location by executing the following command:
  
  copy "c:\Users\Administrator\.keystore" "C:\Program Files\Trend Micro\Deep Security Manager\.keystore"
6. In the C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties file, set the keystore password for the keystorePass value, and then save the file.
7. Restart Deep Security Manager.
8. Verify that the browser can validate the certificate.