1. Install the Microsoft CA. Check the MS documentation for this.
2. Generate a self-signed certificate. The commands should be applicable for both Windows and Linux versions.
   1. Go to IMSS_HOME$/UI/javaJRE/bin In Linux, go to IMSS_HOME$=/opt/trend/imss or C:\Program Files/Trend Micro/IMSS/.
   2. To create a self-signed certificate, run the following command:

      ./keytool -genkey -alias tomcat -keyalg RSA -keystore keystore_name

      The "./" part is for Linux/Solaris only. Disregard this if you are using Windows.

      The "keystore_name" can be any name. Keystore is just like a repository for certificates.

   3. You will be prompted to enter to enter some information. Specify your website’s name on the first-last name promoted.

      Example: imss.example.com

      After executing the command, the file that you specified as "keystore_name" will be created and will contain the self-signed certificate.

   4. Create a local Certificate Signing Request (CSR) to be used for your Microsoft CA server using this command:

      ./keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore_name

      You can specify any filename on the "-file" parameter and use the same keystore_name that you are working with.

3. Copy the CSR file to the Microsoft CA server.
   1. On the Microsoft CA server, right click on CA server > All Tasks > Submit New Request. Look for the CSR file.
   2. Click on the Pending Request and right click the certificate on the list, and then click All Tasks > Select Issue. This will allow the CA server to validate the certificate.
   3. Go to issued certificate. Right click on the certificate, and the click All Tasks > Export Binary Data.
   4. Select the option to save binary data to a file and then name the file with *.p7b extension. This extension is optional on most systems.
   5. Copy the generated file back to the IMSS server to import the certificate that will be used by the Tomcat server.
   6. Copy the certificate to the CA server:
      1. On the Microsoft CA server, right click on the server and then click Properties.
      2. On the General tab, select View Certificate > Details, and then select Copy to a file > leave the option as p7b format > Next.
      3. Specify a name or click Browse to specify a location.
      4. Click Next > Finish.
   7. Copy the generated *.p7b file to the IMSS server.

1. Generate a self-signed certificate:

   Same commands should be applicable for both Windows and Linux version.

   1. Go to IMSS_HOME$/UI/javaJRE/bin

      IMSS_HOME$=/opt/trend/imss in Linux or C:\Program Files/Trend Micro/IMSS/

   2. Run the following command to create a self-signed certificate:

      /keytool -genkey -alias tomcat -keyalg RSA -keystore keystore_name

      For Windows systems, omit the "./" at the beginning of the command. This part of the command is for Linux/Solaris systems only.

      The keystore_name can be any name. Keystore is just like a repository for certificates.

   3. Provide the information asked for. We advise that when asked for the first and last name, you specify your website's name on the first-last name.

      Example: Imss.example.com

      After executing that command, a file you specified as ‘keystore_name’ will be created. It contains the self-signed certificate.

   4. Create a local Certificate Signing Request (CSR) to be used for your Microsoft CA server using this command (all in one line).

      /keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore keystore_name

      You can specify any filename on the “-file” parameter and use the same keystore_name you had been working with.

2. Submit the CSR to your preferred CA like VeriSign. In return, they will give two certificates: the Intermediate certificate also known as Chain certificate and your actual certificate.

Import the certificates on the IMSS Tomcat server

1. Use the following command (all in one line) to import the MS CA's certificate:

   ./keytool -import -alias root -keystore keystore_name -trustcacerts -file filename_of_the_MS-CA_or_intermediate_certificate

2. Use the following command (all in one line) to import the issued certificate:

   ./keytool -import -alias tomcat -keystore keystore_name -trustcacerts -file your_certificate_filename

For Central Controller configuration

1. Open the /opt/trend/imss/UI/adminUI/conf/server.xml file using vi or any text editor. On Windows, use Notepad to open the server.xml file.
2. Look for the "Connector port="8445" parameter. There should be something like the following line below this parameter:

   keystoreFile="sslkey/.keystore"

3. Change the path of the "keystoreFile=" to /opt/trend/imss /UI/javaJRE/bin/keystore_name or C:\Program Files\Trend Micro\IMSS\ui\javaJRE\bin\keystore_name.
4. Change the keystore password to the new password if applicable:

   keystore Pass="keystore_password"

   The password will be the one you specified when you created the self-signed certificate.

5. Save and close the file.
6. Restart the following:
   • For Linux, run the following commands:
     IMSS_HOME/script/S99ADMINUI stop
     IMSS_HOME/script/S99ADMINUI start
   • For Windows, restart the IMSS web console.

For EUQ console configuration

1. Since the keystore has already been prepared, modify the server.xml file on the euqUI part:

   /opt/trend/imss/UI/euqUI/conf/server.xml

   The configuration for Central Controller should be applicable except that the port you will be looking for should be 8446.

2. Restart the EUQ console:
   • For Linux, run the following commands:
     IMSS_HOME$/script/S99EUQ stop
     IMSS_HOME$/script/S99EUQ start
   • For Windows, restart the Trend Micro IMSS End User console.

Since the Microsoft CA certificate server is not usually included on the trusted CA servers of most internet browsers, you need to install the certificate of the CA server. Nevertheless, the security certificate is valid.

You can fix this by opening the IMSS console. However, you will still have the security warning.

To resolve the issue, install the certificate:

1. Click View Certificate and then install the certificate by accepting the defaults. Make sure that you are installing the MS CA certificate. When you view the certificate, click on the Certification Path tab and then select the "root" certificate.

   The example below shows that the root is already imported:

    

2. Log in to the console after you successfully imported and trusted the certificate, the result should be like the following:

   

   The warning is saying that the name of the site does not match.

3. Fix your DNS server so that the website name that you specified when creating the certificate will route to the IMSS server. Once you have fixed the DNS server, you may open the site using hostname like: https://imss.example.com:8445/loginPage.imss for the admin console and https://imss.example.com:8446 for EUQ access.

   The security prompt should no longer occur.