Cross-signing the CA Certificate for TMWS Cloud Proxy

By default, TMWS acts as a private Certificate Authority (CA) and uses a default root CA certificate that is sent to client browsers to complete a secure session for HTTPS connection. However, because the default CA certificate is not signed by a trusted CA on the Internet, the client browsers will display a certificate warning each time users access an HTTPS website. Although users can safely ignore the certificate warning, Trend Micro recommends using a cross-signed CA certificate if you have your own certificate.

TMWS allows administrators to cross-sign your organization's own CA certificate with the Certificate Signing Request (CSR) file provided by Trend Micro, and upload the cross-signed certificate on the TMWS management console. Cross-signing the CA certificate establishes a trusted relationship between the TMWS CA certificate and your organization's own CA certificate.

This section describes how to cross-sign your CA certificate with the CSR file for use by the cloud proxy.

  1. Check the following:
    • Your organization's CA certificate and the corresponding CA private key and its passphrase are already available.

    • The Path Length Constraint in your organization's CA certificate is set to None, so that there is no restriction on the CA certificates down in the hierarchy.

    • The administrator has a basic knowledge of openssl commands.

  2. Create a folder named CrossSignTMWSCA_cloud.
    Note:

    The names of the folders and files created in this section are user customizable.

  3. Go to the newly created folder.
  4. Create a subfolder named newcerts.
  5. Create an empty file named certindex.
  6. Create a file, copy and paste the following text, and then save it as serialfile:
    000a
  7. Create a file, copy and paste the following text into the file, and then save it as tmws_ca.csr:
    -----BEGIN CERTIFICATE REQUEST-----
    MIIEwjCCAqoCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
    DAJDVTEUMBIGA1UECgwLVHJlbmQgTWljcm8xDTALBgNVBAsMBFRNV1MxLzAtBgNV
    BAMMJlRyZW5kIE1pY3JvIFdlYiBTZWN1cml0eSBDbG91ZCBSb290IENBMIICIjAN
    BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHcSU43KYws7UxoyfH8RcnaO0cr/
    HETn3npjrKxWy3+L8/RSPg/KjUgZhVIqcYgef40rsNoNrM67UwdRxlDpr7qKT47P
    ZFaIwMCpfqPFHYvnz7JlcomfeY576ksnMZ87X7ThK3ZqXAuuTUHeDUXep9QAWmPM
    Jwq15xGfPf28AR8jEfF8V0xbFHbyMYQyKpzbPDUGAgiLgKGiDsYkEpi65FfOGNKH
    jauQ+s1BlO/j9MLtp2Jf9me27iSyluD+ATo93a7Z3vlHBIyazENhPG7yJa971DBy
    8FUhKWrrn1Nv2VBCT+4bVpKAvoIqhbFFytBcTRfq0dRMPmiB9ug2BjxDry5Uucko
    8jMT2aN96M+Jm5Rlaq9W/ci7jkVgwDAAPtGDum8Eyxt38CRkmfFcMpXMOnPBdaDc
    vTXwIU+TSd2g8nJqHlD19Ijb1QuoRzA+45ByparF5/1QvPhd9nHKBUN+foNZJXBX
    dKBPtycjjL+8zeS3KXA2qo5gn2B6BOsG67O4/4uAEqEB7WsLpdCaKk4zrA5fiNyB
    arRsXY6ueuEnwkupxyswldzihj2/HNZtdk1pZQo9PIUe4PmuSoBJxvQwyBJ+AI9h
    OJ6UpTsS/UX9ei0z87ZBiLKPh4zUjZtPzI4UQErv3QigG/v+fnMmhEAOY0lTQfpq
    WoBsADZyLwzpZh0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQCM/LyutXY4wDst
    LAO2W/xJIkG6+gT5Y++Yql7xoCuHvpr4sNGOuT3tY1XAiWLu86fQTLO5m70MzVYq
    14fcAYhRzzv1WJNbzAxzSzagV5J01l9LsfRA8z1gBvFUfN4PmGoUfkx2pAFFPDt2
    BOyZX/3TcZ8V/icRrhK36CZq8jMr2YMsA7zG3OVOLtYFZBa0JICcp9SWCc/6M4DG
    Rn2uNKMA69qq+xI1OkfcYxcxNf/Wlhwh7OEUVVyaeSglo/QFnq0TTmxxkWEpIsd8
    B5TB9vUAS+al7jkKtpSVYR9Z2i6lPhN8AZrNkBsqI1MNtq5+CPo2+WPH9gTwuC+J
    5Wu6UtrIUEatYuWUSGHNcDO6tmoxyLmE4g/AeyFERS5s6zUO7WRXJ5inYzr3JZAM
    1B3sJo957ue7PofHw5bIZKqc46uUaVJJD+G19MuAR1QOSfvqvXDVUsYliy5h6P+e
    p5JICIe/5j8xyb273s7GVEbpMz2ZvvNaZDwCcMWL1S7zohw4wH7jzml0X2kr0oYs
    vpcNfoug/4IKj8Y2PVMYJwJadXOGFZGo+L7YOI5Cb4+4pzhH8+TetXSzEEMkozW9
    4j7W64EfOZwaBv1XLqOwS3UoHTtB1ewsYoC2cyrJ6ypTqyPrGtbFnFYy2zmruLjA
    AFd65jMhNeeACg8sqfsfFOSmSluQ1A==
    -----END CERTIFICATE REQUEST-----
               
  8. Create a file, copy and paste the following text into the file, and then save it as a configuration file named myca.conf:
    [ca]
    default_ca = rootca
    
    [crl_ext]
    #issuerAltName=issuer:copy  #this would copy the issuer name to altname
    authorityKeyIdentifier=keyid:always
    
    [rootca]
    new_certs_dir = newcerts
    unique_subject = no
    certificate = root.cer  #Your organization's CA certificate
    database = certindex
    private_key = root.key  #Your organization's CA private key
    serial = serialfile
    default_days = 3660     #Should be at least two years from the date of cross-signing
    default_md = sha256     #sha256 is required.
    policy = myca_policy
    x509_extensions = myca_extensions
    
    [ myca_policy ]
    countryName = supplied
    stateOrProvinceName = supplied
    localityName = supplied
    organizationName = supplied
    organizationalUnitName = optional
    commonName = supplied
    emailAddress = optional
    
    [ myca_extensions ]     #These extensions are required.
    basicConstraints = CA:true
    subjectKeyIdentifier = hash
    authorityKeyIdentifier = keyid:always
    keyUsage = keyCertSign, cRLSign
  9. Run the following command to cross-sign your organization's CA certificate using the CSR file: openssl ca -batch -config myca.conf -notext -days 7320 -in tmws_ca.csr -out tmws_ca.cer

    A cross-signed certificate named 0A.pem is generated under folder newcerts.

  10. Go to HTTPS INSPECTION > Decryption Rules and upload the certificate in the Cross-signed certificate for cloud part of the Certificate section of a decryption rule as necessary.