On the machine where you installed the TMWS Authentication Agent:, create the following openssl.cnf file and save it to the folder you want:

[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
C = PH #CHANGE THIS
ST = Pasig #CHANGE THIS
L = Ortigas #CHANGE THIS
O = Tekchallenge #CHANGE THIS
emailAddress = admin@tekchallenge.local #CHANGE THIS
CN = cs-scripts.tekchallenge.local #CHANGE THIS
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = cs-scripts.tekchallenge.local #CHANGE THIS

1. Go to the following directory in cmd:

   C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin> cd "C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin"

    

   The above directory may not apply if you installed the Authentication Agent on another directory. You have to navigate to that directory instead and go to bin sub-directory under Apache-20.
2. Use the following command to generate a self-signed certificate with SAN using the previous openssl.cnf file created:

   openssl.exe req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout auth.key -days 3560 -out auth.crt -config "C:\Users\Administrator\Desktop\WS AD Auth Certs Openssl\openssl.cnf"

    

   Note the -config parameter pointing to the exact location (absolute path) of the openssl.cnf file created earlier.

The follwing output files are located at C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin\:

• auth.key
• auth.crt

1. Open Authentication Agent.
2. Click Replace IWSaaS Certificate.

   

3. Browse the auth.crt and auth.key file, and then click OK.

   

4. Click OK.

   

On the endpoint(s) that will eventually connect to the machine where Authentication Agent is installed, copy and import the Self-Signed Certificate in Trusted Root Certificates (can instead do this via GPO).

1. On the endpoint, open http://diagnose.iws-hybrid.trendmicro.com/.
2. Click Log On at the bottom of the web page.

   

3. Enter your username and then click Log On.

   

    

   Note that you are redirected to the TMWS Authentication Agent machine's FQDN (configured on TMWS Admin Console), the web page is HTTPS and no more certificate warning (upon successful import of self-signed certificate in Trusted Root Certificates).

   

4. Inspect the certificate.

   

   Under the Details tab, it should have the Subject Alternative Name.