Views:

Pre-requisites

  • Valid server certificate in .pfx format (including private key)
  • Password for the .pfx file
  • Local administrator access to the DSM server
  • Maintenance window (DSM service restart required)

 

Backup

  1. Before making any changes, back up the following files from C:\Program Files\Trend Micro\Deep Security Manager
    • .keystore
    • configuration.properties
  2. Store the backup in a safe location.

 

Procedure

  1. Stop DSM Service

    Stop the Trend Micro Deep Security Manager service from Services.msc.

  2. Prepare Certificate Files
    1. Create a folder for C:\cert
    2. Copy all certificate-related files into this folder.
    3. Ensure the .pfx file is present.
    4. Rename the certificate to SeverCertificate.pfx
  3. Rename Existing Keystore
    1. Navigate to the DSM installation directory: cd "C:\Program Files\Trend Micro\Deep Security Manager"
    2. Rename the existing keystore: rename .keystore keystorebak
  4. Import Certificate into New Keystore (JKS)
    1. Navigate to the Java bin directory: cd "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin"
    2. Run the following command:

      keytool -importkeystore -srckeystore "C:\cert\ServerCertificate.pfx" -destkeystore "C:\Program Files\Trend Micro\Deep Security Manager\.keystore" -deststoretype JKS

    3. You will be prompted for the password three times.
      • Enter the .pfx password each time.
      • Remember this password; it will be required later.
  5. Convert Keystore to PKCS12 Format

    Run the following one-line command:

    keytool -importkeystore -srckeystore "C:\Program Files\Trend Micro\Deep Security Manager\.keystore" -destkeystore "C:\Program Files\Trend Micro\Deep Security Manager\.keystore" -deststoretype pkcs12

  6. Update configuration.properties
    1. Navigate to: C:\Program Files\Trend Micro\Deep Security Manager
    2. Copy configuration.properties to the Desktop.
    3. Open the file using Notepad (Run as Administrator).
    4. Update the keypass value with the same password used for the .pfx file.
    5. Save the file with configuration.properties and ensure the extension remains: .properties
    6. Copy the updated file back to:

      C:\Program Files\Trend Micro\Deep Security
      (Overwrite the existing file if prompted.)

  7. Start DSM Service
    • Start the Trend Micro Deep Security Manager service.
    • Wait approximately 5 minutes for the service to initialize.

 

Validation

  1. Open the DSM console in a browser.
  2. Confirm the certificate is updated.
  3. Access the DSM console using the fully qualified domain name (FQDN) configured in the CA-signed certificate; accessing the console via IP address may still result in browser security warnings.

 

Rollback Procedure

If the DSM console does not open or issues occur, follow these steps:

  1. Stop the DSM service.
  2. Restore the backed-up files:
    • .keystore
    • configuration.properties
  3. Start the DSM service again.
Keywords: replacing CA-signed certificate on Deep Security Manager, how to replace CA-signed certificate on DSM, how to replace a CA-signed certificate, instructions for SSL certificate replacement, keystore, how to replace CA-signed certificate in DSM on Windows Server