Follow these steps:
- Create the wildcard certificate.
On the CA Tool (e.g. XCA), create a CSR (Certificate Signing Request) for wildcard certificate. Sign it using the CA Tool.
Below is an example:
- Export the signed wildcard certificate and root CA certificate and transfer it to DSM Linux.
Note that the .p12 file of the wildcard certificate should be ignored.
- You may use WinSCP to transfer the files
- Verify the files that have been copied.
root CA certificate is in .crt extension, but it is in PEM format (Other formats of root CA have not been tested.).
- You may use WinSCP to transfer the files
- Stop the Trend Micro DSM service
# /opt/dsm/dsm_s stop
Below is a sample output:
[root@dsmlinux dsm]# /opt/dsm/dsm_s stop
Shutting down dsm_s
DSM running with pid 16614. Sending SIGTERM (-15) to stop process and shut down the DSM.
DSM shut down after 10 seconds. - Clean up the current .keystore.
# mv /opt/dsm/.keystore /opt/dsm/.keystorebak
- Create a new .keystore and import the wildcard certificate
# /opt/dsm/jre/bin/keytool -importkeystore -srckeystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx -srcstoretype pkcs12 -destkeystore .keystore -deststoretype JKS
Below is a sample output:
[root@dsmlinux dsm]# /opt/dsm/jre/bin/keytool -importkeystore -srckeystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx -srcstoretype pkcs12 -destkeystore .keystore -deststoretype JKS Importing keystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx to .keystore... Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias {2373f689-1baf-4fb6-8fb0-64c34cdf1746} successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore .keystore -destkeystore .keystore -deststoretype pkcs12"....where /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx is the exported signed wildcard certificate from CA in PFX format.
- Import the Root CA Certificate into the Trusted Certificates.
- Backup first the cacerts file.
- When prompted for password, use changeit.
- When prompted with Trust this certificate?, type yes.
# cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/jre/lib/security/cacerts.bak
# /opt/dsm/jre/bin/keytool -import -alias root -trustcacerts -file /home/test/certs_20200419/rootCA.crt -keystore /opt/dsm/jre/lib/security/cacerts
Below is a sample output:
[root@dsmlinux ~]# cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/jre/lib/security/cacerts.bak [root@dsmlinux dsm]# /opt/dsm/jre/bin/keytool -import -alias root -trustcacerts -file /home/test/certs_20200419/rootCA.crt -keystore /opt/dsm/jre/lib/security/cacerts Enter keystore password: changeit Owner: EMAILADDRESS=administrator@lab.local, CN=addns01.lab.local, OU=IT, O=Lab, L=Bacoor, ST=Cavite, C=PH Issuer: EMAILADDRESS=administrator@lab.local, CN=addns01.lab.local, OU=IT, O=Lab, L=Bacoor, ST=Cavite, C=PH Serial number: 1 Valid from: Tue Feb 19 21:16:00 PST 2019 until: Mon Feb 19 21:16:00 PST 2029 Certificate fingerprints: MD5: F7:20:D9:EB:05:89:EA:BF:14:23:8D:4E:46:A0:DB:26 SHA1: 6F:2B:34:27:41:1C:A5:8B:48:B8:52:76:30:F9:4F:4E:AF:F5:D9:51 SHA256: BB:F1:F9:1A:15:B9:14:F5:35:D4:8B:67:D9:B7:D0:D6:EB:00:D1:CA:45:BF:BC:9E:82:28:0B:FC:97:47:E6:13 Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ] #3: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Non_repudiation Key_Encipherment Data_Encipherment Key_Agreement Key_CertSign Crl_Sign Encipher_Only Decipher_Only ] Trust this certificate? [no]: yes Certificate was added to keystore...where /home/test/certs_20200419/rootCA.crt is the exported root CA Certificate.
The first command is to backup /opt/dsm/jre/lib/security/cacerts. When importing to /opt/dsm/jre/lib/security/cacerts, the password is changeit.
- Change the configuration.properties file.
- Backup first the configuration.properties file.
- Modify the value of keystorePass with the keystore password specified on step 5.
# cp /opt/dsm/configuration.properties /opt/dsm/configuration.properties.bak # vi /opt/dsm/configuration.properties
Below is a sample output:
[root@dsmlinux dsm]# cp /opt/dsm/configuration.properties /opt/dsm/configuration.properties.bak [root@dsmlinux dsm]# vi /opt/dsm/configuration.properties ------ [root@dsmlinux dsm]# cat /opt/dsm/configuration.properties # #Sun Apr 19 02:01:39 PST 2020 keystoreFile=/opt/dsm/.keystore fipsmodeEnabled=false port=4119 keystorePass=VMware1! commandExe=dsm_c installed=true serviceName=dsm_s ------
- Start the Trend Micro DSM service.
# /opt/dsm/dsm_s start
Below is a sample output:
[root@dsmlinux dsm]# /opt/dsm/dsm_s start
Starting dsm_s
Below are sample results:
Update
There are certain cases the root CA certificate is not given, but only the .pfx copy of wildcard certificate. In this case, there is a command to derive the root CA certificate from the signed wildcard certificate. Alternatively, you can ask the CA provider a copy of the root CA certificate, if available.
openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>
You may refer to this site for details on How to export CA certificate chain from PFX in PEM format without bag attributes.
You need to do this on a Linux Machine with OpenSSL module because a certain version of OpenSSL for Windows has a bug and the application crashes.
Below is a sample output: