What’s the use of Web Host Certificate?

Web Host Certificate is used for Apex One web console for encrypted connection and identity. Replacing it with trusted CA can prevent browsers like Chrome, to pop up/display security alerts. To replace the Web Host Certificate, the new certificate has to use a host name of Apex One server as the CN name.

Steps for replacing Web Host Certificate

Generate the 3rd-party certificate with name: CN={HostName} (e.g. CN=ApexOneServer.trendmicro.com) and export the public (.cer) and private key (.pfx).

Import the private key into [Certificate Store]\Personal\Certificates\.

When importing this key, make sure the option "Mark this key as exportable..." is checked.

Import the public key into [Certificate Store]\Trusted People\Certificates\.

Starting from Apex One 2019, new modules in Apex One Security Agent will authenticate whether the communication peer is a valid Apex One server. Please rename the above public key (.cer) to "OfcIPCer.dat" and then copy it to {Apex One Server Installation}\PCCSRV\Pccnt\Common\ and overwrite the existing file. This managed key will be deployed to the managed Apex One Security Agents. For example:

Copy <server_public_key>.cer to {Apex One Server Installation}\PCCSRV\Pccnt\Common\OfcIPCer.dat

Bind 3rd-party signed certificate to IIS:

Press the Windows button + R, and then type "inetmgr.exe". This will open the IIS Manager
Expand site node and highlight "Apex One virtual site" (OfficeScan in this example).
In the Actions pane, click Bindings... to open the Site Bindings window.
In the Site Bindings window, select Type="https" and click Edit....

The Edit Site Binding window will appear.
From the SSL Certificate section, click the Select... button and choose the certificate generated from the previous steps.
Click OK to close the window.

Additionally, if you find that there are 403.16 error codes in the IIS log, this means that the client certificate is untrusted or invalid. Please examine your system and apply the suggested resolutions accordingly:

Execute the PowerShell command below with administrator permission to find any inappropriate root certificates in Trusted Root Certification Authorities store.
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

The above command will examine all the root certificates to see if their certification authority are all in the Trusted Root Certification Authorities store, and list any non–self-signed certificates whose "Issued To" and "Issued By" values are not an exact match.

[Solution]: Please refer to the Resolution section of "HTTP Error 403.16 - Forbidden" when you try to access a website that's hosted on IIS 7.0 to move any non–self-signed certificates out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.

If the 403.16 error code continues to appear, you can turn on the Exclusive CA Trust mode which described in What's New in TLS/SSL (Schannel SSP).

[Solution]: Open the registry editor (regedit.exe) and add the following registry values:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
Name: ClientAuthTrustMode
Type: REG_DWORD
Value: 2

Here are the possible values of ClientAuthTrustMode for reference:

Value	Trust Mode	Description
0	Machine Trust (default)	Requires that the client certificate is issued by a certificate in the Trusted Issuers list.
1	Exclusive Root Trust	Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list.
2	Exclusive CA Trust	Requires that a client certificate chains to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.

Follow the instructions in this KB article to avoid the certificate from automatically being reverted.

Alternatively, you can utilize the Apex One Certificate Import tool to help simplify the certificate import/replacement process.

Configuring Apex One to use a certificate signed by corporate Certificate Authority

Product / Version includes:

Apex One2019 , Apex OneAll

Last updated: 2022/08/17

Solution ID: KA-0009125

Category: Configure

Summary

In some environments, customers use their own Certificate Authority (CA). This article provides the steps if a customer wishes to use their own certificate.

What’s the use of Web Host Certificate?

Steps for replacing Web Host Certificate

Generate the 3rd-party certificate with name: CN={HostName} (e.g. CN=ApexOneServer.trendmicro.com) and export the public (.cer) and private key (.pfx).
Import the private key into [Certificate Store]\Personal\Certificates\.
When importing this key, make sure the option "Mark this key as exportable..." is checked.
Import the public key into [Certificate Store]\Trusted People\Certificates\.
Starting from Apex One 2019, new modules in Apex One Security Agent will authenticate whether the communication peer is a valid Apex One server. Please rename the above public key (.cer) to "OfcIPCer.dat" and then copy it to {Apex One Server Installation}\PCCSRV\Pccnt\Common\ and overwrite the existing file. This managed key will be deployed to the managed Apex One Security Agents. For example:
Copy <server_public_key>.cer to {Apex One Server Installation}\PCCSRV\Pccnt\Common\OfcIPCer.dat
Bind 3rd-party signed certificate to IIS:
1. Press the Windows button + R, and then type "inetmgr.exe". This will open the IIS Manager
2. Expand site node and highlight "Apex One virtual site" (OfficeScan in this example).
3. In the Actions pane, click Bindings... to open the Site Bindings window.
4. In the Site Bindings window, select Type="https" and click Edit....
  
  The Edit Site Binding window will appear.
5. From the SSL Certificate section, click the Select... button and choose the certificate generated from the previous steps.
6. Click OK to close the window.

Execute the PowerShell command below with administrator permission to find any inappropriate root certificates in Trusted Root Certification Authorities store.
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

The above command will examine all the root certificates to see if their certification authority are all in the Trusted Root Certification Authorities store, and list any non–self-signed certificates whose "Issued To" and "Issued By" values are not an exact match.

[Solution]: Please refer to the Resolution section of "HTTP Error 403.16 - Forbidden" when you try to access a website that's hosted on IIS 7.0 to move any non–self-signed certificates out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.

If the 403.16 error code continues to appear, you can turn on the Exclusive CA Trust mode which described in What's New in TLS/SSL (Schannel SSP).

[Solution]: Open the registry editor (regedit.exe) and add the following registry values:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel]
Name: ClientAuthTrustMode
Type: REG_DWORD
Value: 2

Here are the possible values of ClientAuthTrustMode for reference:

Value	Trust Mode	Description
0	Machine Trust (default)	Requires that the client certificate is issued by a certificate in the Trusted Issuers list.
1	Exclusive Root Trust	Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list.
2	Exclusive CA Trust	Requires that a client certificate chains to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.

Follow the instructions in this KB article to avoid the certificate from automatically being reverted.

Alternatively, you can utilize the Apex One Certificate Import tool to help simplify the certificate import/replacement process.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Configuring Apex One to use a certificate signed by corporate Certificate Authority

What’s the use of Web Host Certificate?

Steps for replacing Web Host Certificate

Configuring Apex One to use a certificate signed by corporate Certificate Authority

Product / Version includes:

Summary

What’s the use of Web Host Certificate?

Steps for replacing Web Host Certificate