Views:

Do one of the following options to configure third-party signed certificates in IMSVA.

Option 1: Using the keystore commands

Create a keystore using the following commands:
[root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
root@imsva_server bin]# ./keytool -genkey -alias apache -keyalg RSA -keystore keystore_imsva

Sample output after entering the commands:

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: imsva_server.mydomain.com (This should reflect the FQDN of the IMSVA server.)
What is the name of your organizational unit?
[Unknown]: MY
What is the name of your organization?
[Unknown]: Test Systems
What is the name of your City or Locality?
[Unknown]: Anytown
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN= imsva_server.mydomain.com, OU=MY, O=Test Systems, L=Anytown, ST=CA, C=US correct? [no]: yes
Enter key password for .
(Press ENTER if the key password is the same as keystore password.)
Create the certificate request (CSR) using the following commands:
[root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
[root@imsva_server bin]#./keytool -certreq -keyalg RSA -keysize 2048 -alias apache -file
imsvacert.req -keystore keystore_imsva

Use a certificate authority (CA) to sign the request or send this to a third-party CA for signing.
Export the private key from the keystore_name and copy to /opt/trend/imss/UI/apache/conf/ssl.key/server.key.
1. Export the private key from Tomcat keystore using the following commands:
  [root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
  [root@imsva_server ~ ]#./keytool -importkeystore -srckeystore -
  destkeystore -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
  -deststorepass -srcalias apache -destalias apache -srckeypass
  -destkeypass
2. Transform the private key format from PKCS12 to a format supported by Apache PEM. Use the following:
  [root@imsva_server ~ ]# openssl pkcs12 -in out.keystore.p12 -out server.key.pem -passin pass:-passout pass:
3. Decrypt the private key to get rid of the password-input dialog when starting Apache. Use the following:
  [root@imsva_server ~]# openssl rsa -in server.key.pem -out server.key
4. Decrypt the private key to get rid of the password-input dialog when starting Apache. Use the following:
  [root@imsva_server ~]# openssl rsa -in server.key.pem -out server.key
5. Copy the server.key private key to /opt/trend/imss/UI/apache/conf/ssl.key/server.key using the following commands:
  [root@imsva_server ~ ]# cd /opt/trend/imss/UI/apache/conf/ssl.key/
  [root@imsva_server ssl.key ]# cp server.key server.key.old
  [root@imsva_server bin ]# cp /opt/trend/imss/UI/javaJRE/bin/server.key /opt/trend/imss/UI/apache/conf/ssl.key/server.key
Copy the imsvacert.cer public key to the ssl.crt folder. The path is /opt/trend/imss/UI/apache/conf/ssl.crt.
Copy the chain file and certificate files to a temp folder on the IMSVA server, and then import and import the files to the keystore. Use the following commands:
[root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
[root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -alias rootCA -file ROOTCA.cer
[root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -trustcacerts -alias intermediateCA -file CAIssued.cer
[root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -keyalg "RSA" -trustcacerts -file imsvacert.cer
Open the /opt/trend/imss/UI/adminUI/conf/server xml file and add the "keystoreFile" line as shown below:
scheme="https" secure="true"
clientAuth="false"
keystoreFile=/opt/trend/imss/UI/javaJRE/bin/keystore_imsva keystorePass=
sslProtocol="TLS" />
Restart the IMSVA administration console using the following:
[root@imsva_server ~]# /opt/trend/imss/script/S99ADMINUI restart

Option 2: Using the Windows CA

Create a new certificate from a Windows CA.
1. Go to http://<localhost>/certsrv/.
2. Click Request a certificate.
3. Select Advanced certificate request and then click Create a request to this CA and submit.
4. Select Subordinate CA and enter the necessary information.
  It is recommended to provide the host name of the IMSVA on the Name field.
5. Click Submit.
6. Click Install this certificate.
7. When the installation is complete, navigate to Internet Explorer > Tools > Internet Options > Content > Certificates.
8. Export the certificate you just installed and the private key.
9. Enter "trend" for the password.
10. Select Export and then click Finish.
Export the certificate to IMSVA.
1. Copy server.pfx to /opt/trend/imss/UI/tomcat/SSLKey/.
2. Open /opt/trend/imss/UI/euqUI/conf/server.xml.
3. Search for "8446" and change the following:
  <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>
  to:
  <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="sslkey/server.pfx" keystorePass="your_password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />
4. Run the following command:
  openssl pkcs12 -in /opt/trend/imss/UI/tomcat/sslkey/server.pfx -out server.pem -nodes
5. Open server.pem and copy the content between "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----", and then save to server.key file.
6. Open server.pem and copy the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE -----", and then save to server.crt file.
7. Go to /opt/trend/imss/UI/apache/conf/ssl.crt/server.crt secure and replace it with server.crt.
8. Go to /opt/trend/imss/UI/apache/conf/ssl.key/server.key secure and replace the server.key.
9. Execute the following commands:
  /opt/trend/imss/script/S99ADMINUI restart
  /opt/trend/imss/script/S99EUQ restart
10. Distribute the certificates to the EUQ clients.

IMSVA 9.1 can maintain certificates from the web UI directly. Please follow steps on the IMSVA 9.1 Admin Guide: Managing Certificates in IMSVA.

Keywords: ssl certificate,set up third-party certificates,signed certificates,PEM,export private key,generate IMSVA third-party certificate,create certificate request,generate certificates

Setting up third-party certificates on InterScan Messaging Security Virtual Appliance (IMSVA)

Product / Version includes:

Interscan Messaging Security Virtual Appliance9.1 , Interscan Messaging Security Virtual Appliance9.0 , Interscan Messaging Security Virtual Appliance8.5

Last updated: 2021/08/28

Solution ID: KA-0002982

Category: Configure

Summary

Set up third-party signed certificates to be used in the central controller of IMSVA management console.

Do one of the following options to configure third-party signed certificates in IMSVA.

EXPAND ALL

Option 1: Using the keystore commands

Create a keystore using the following commands:
[root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
root@imsva_server bin]# ./keytool -genkey -alias apache -keyalg RSA -keystore keystore_imsva

Sample output after entering the commands:

Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: imsva_server.mydomain.com (This should reflect the FQDN of the IMSVA server.)
What is the name of your organizational unit?
[Unknown]: MY
What is the name of your organization?
[Unknown]: Test Systems
What is the name of your City or Locality?
[Unknown]: Anytown
What is the name of your State or Province?
[Unknown]: CA
What is the two-letter country code for this unit?
[Unknown]: US
Is CN= imsva_server.mydomain.com, OU=MY, O=Test Systems, L=Anytown, ST=CA, C=US correct? [no]: yes
Enter key password for .
(Press ENTER if the key password is the same as keystore password.)
Create the certificate request (CSR) using the following commands:
[root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
[root@imsva_server bin]#./keytool -certreq -keyalg RSA -keysize 2048 -alias apache -file
imsvacert.req -keystore keystore_imsva

Use a certificate authority (CA) to sign the request or send this to a third-party CA for signing.
Export the private key from the keystore_name and copy to /opt/trend/imss/UI/apache/conf/ssl.key/server.key.
1. Export the private key from Tomcat keystore using the following commands:
  [root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
  [root@imsva_server ~ ]#./keytool -importkeystore -srckeystore -
  destkeystore -srcstoretype JKS -deststoretype PKCS12 -srcstorepass
  -deststorepass -srcalias apache -destalias apache -srckeypass
  -destkeypass
2. Transform the private key format from PKCS12 to a format supported by Apache PEM. Use the following:
  [root@imsva_server ~ ]# openssl pkcs12 -in out.keystore.p12 -out server.key.pem -passin pass:-passout pass:
3. Decrypt the private key to get rid of the password-input dialog when starting Apache. Use the following:
  [root@imsva_server ~]# openssl rsa -in server.key.pem -out server.key
4. Decrypt the private key to get rid of the password-input dialog when starting Apache. Use the following:
  [root@imsva_server ~]# openssl rsa -in server.key.pem -out server.key
5. Copy the server.key private key to /opt/trend/imss/UI/apache/conf/ssl.key/server.key using the following commands:
  [root@imsva_server ~ ]# cd /opt/trend/imss/UI/apache/conf/ssl.key/
  [root@imsva_server ssl.key ]# cp server.key server.key.old
  [root@imsva_server bin ]# cp /opt/trend/imss/UI/javaJRE/bin/server.key /opt/trend/imss/UI/apache/conf/ssl.key/server.key
Copy the imsvacert.cer public key to the ssl.crt folder. The path is /opt/trend/imss/UI/apache/conf/ssl.crt.
Copy the chain file and certificate files to a temp folder on the IMSVA server, and then import and import the files to the keystore. Use the following commands:
[root@imsva_server ~]# cd /opt/trend/imss/UI/javaJRE/bin
[root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -alias rootCA -file ROOTCA.cer
[root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -trustcacerts -alias intermediateCA -file CAIssued.cer
[root@imsva_server ~]# ./keytool -importcert -keystore keystore_imsva -keyalg "RSA" -trustcacerts -file imsvacert.cer
Open the /opt/trend/imss/UI/adminUI/conf/server xml file and add the "keystoreFile" line as shown below:
scheme="https" secure="true"
clientAuth="false"
keystoreFile=/opt/trend/imss/UI/javaJRE/bin/keystore_imsva keystorePass=
sslProtocol="TLS" />
Restart the IMSVA administration console using the following:
[root@imsva_server ~]# /opt/trend/imss/script/S99ADMINUI restart

Option 2: Using the Windows CA

Create a new certificate from a Windows CA.
1. Go to http://<localhost>/certsrv/.
2. Click Request a certificate.
3. Select Advanced certificate request and then click Create a request to this CA and submit.
4. Select Subordinate CA and enter the necessary information.
  It is recommended to provide the host name of the IMSVA on the Name field.
5. Click Submit.
6. Click Install this certificate.
7. When the installation is complete, navigate to Internet Explorer > Tools > Internet Options > Content > Certificates.
8. Export the certificate you just installed and the private key.
9. Enter "trend" for the password.
10. Select Export and then click Finish.
Export the certificate to IMSVA.
1. Copy server.pfx to /opt/trend/imss/UI/tomcat/SSLKey/.
2. Open /opt/trend/imss/UI/euqUI/conf/server.xml.
3. Search for "8446" and change the following:
  <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="sslkey/.keystore" clientAuth="false" sslProtocol="TLS"/>
  to:
  <Connector port="8446" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="sslkey/server.pfx" keystorePass="your_password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />
4. Run the following command:
  openssl pkcs12 -in /opt/trend/imss/UI/tomcat/sslkey/server.pfx -out server.pem -nodes
5. Open server.pem and copy the content between "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----", and then save to server.key file.
6. Open server.pem and copy the content between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE -----", and then save to server.crt file.
7. Go to /opt/trend/imss/UI/apache/conf/ssl.crt/server.crt secure and replace it with server.crt.
8. Go to /opt/trend/imss/UI/apache/conf/ssl.key/server.key secure and replace the server.key.
9. Execute the following commands:
  /opt/trend/imss/script/S99ADMINUI restart
  /opt/trend/imss/script/S99EUQ restart
10. Distribute the certificates to the EUQ clients.

IMSVA 9.1 can maintain certificates from the web UI directly. Please follow steps on the IMSVA 9.1 Admin Guide: Managing Certificates in IMSVA.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Setting up third-party certificates on InterScan Messaging Security Virtual Appliance (IMSVA)

Option 1: Using the keystore commands

Option 2: Using the Windows CA

Setting up third-party certificates on InterScan Messaging Security Virtual Appliance (IMSVA)

Product / Version includes:

Summary

Option 1: Using the keystore commands

Option 2: Using the Windows CA