Using Your Company CA Certificate for TMWS On-Premises

Procedure

1. Log in to the ESXi server of the on-premises gateway as the root user through the command console.
2. Check the following:
   • If you have your own CA certificate, ensure the files that carry the private key, passphrase, and certificate content are available on the machine, and change their names to default_key.cer, .default.passphrase, and default.cer respectively.
   • If you do not have your own CA certificate, perform the following steps to generate the key, passphrase, and certificate files.
     1. Run the following openssl command and specify a password when prompted to generate the HTTPS private key file:
        openssl genrsa -des3 -out default_key.cer 2048
     2. Run the following openssl command and type the password that you have specified in the previous step when prompted to generate the CA certificate file:
        openssl req -x509 -days <validity period in days> -new -key default_key.cer -out default.cer

        Note Trend Micro recommends that you generate your CA certificate with a longer validity period, for example, 20 years.

     3. Run the following shell command to generate the .default.passphrase file:
        /usr/iwss/bin/encpw your_password > .default.passphrase

     Important The file names must be default_key.cer, .default.passphrase, and default.cer and cannot be changed.

   • The administrator has a basic knowledge of openssl and shell commands.
3. Locate the three files and copy them to the /opt/trend/iwss_usr/bin/ directory.
4. Run the following command to replace the default CA certificate with your company's CA certificate:
   bash /opt/trend/iwss_usr/bin/use_default_ca.sh replace default.cer default_key.cer .default.passphrase
   Your company's CA certificate takes effect.

   Note Execution of this command leads to a proxy service reboot. Trend Micro recommends you run the command at a proper time to avoid affecting your service continuity.