Cross-sign your CA certificate with the Certificate Signing Request (CSR) file provided by Internet Access for use by Internet Access Gateways.
Internet Access allows administrators to cross-sign your organization's own CA certificate with the Certificate Signing Request (CSR) file provided by Trend Micro, and upload the cross-signed certificate on the Trend Vision One management console. Cross-signing the CA certificate establishes a trusted relationship between the Trend Micro CA certificate and your organization's own CA certificate.
Internet Access provides different CSR files for the cloud gateway and on-premises gateways.
Your organization's CA certificate and the corresponding CA private key and its passphrase are already available.
The Path Length Constraint in your organization's CA certificate is set to None, so that there is no restriction on the CA certificates down in the hierarchy.
The administrator has a basic knowledge of openssl commands.
The names of the folders and files created in this section are customizable.
[ca] default_ca = rootca [crl_ext] #issuerAltName=issuer:copy #this would copy the issuer name to altname authorityKeyIdentifier=keyid:always [rootca] new_certs_dir = newcerts unique_subject = no certificate = root.cer #Your organization's CA certificate database = certindex private_key = root.key #Your organization's CA private key serial = serialfile default_days = 3660 #Should be at least two years from the date of cross-signing default_md = sha256 #sha256 is required. policy = myca_policy x509_extensions = myca_extensions [ myca_policy ] countryName = supplied stateOrProvinceName = supplied localityName = supplied organizationName = supplied organizationalUnitName = optional commonName = supplied emailAddress = optional [ myca_extensions ] #These extensions are required. basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = keyCertSign, cRLSign
A cross-signed certificate named 0A.pem is generated under folder newcerts.