Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How to deploy wildcard certificate in Deep Security Manager (DSM) Linux

    • Updated:
    • 27 Aug 2020
    • Product/Version:
    • Deep Security All
    • Platform:
Summary

Know the steps in deploying wildcard certificate in DSM Linux. Take note that you have access to a Certificate Authority (CA) or Internal CA Tool (e.g. XCA) before proceeding.

Details
Public

Follow these steps:

  1. Create the wildcard certificate.

    On the CA Tool (e.g. XCA), create a CSR (Certificate Signing Request) for wildcard certificate. Sign it using the CA Tool.

    Below is an example:

  2. Export the signed wildcard certificate and root CA certificate and transfer it to DSM Linux.

    Note that the .p12 file of the wildcard certificate should be ignored.

    1. You may use WinSCP to transfer the files

    2. Verify the files that have been copied.

      root CA certificate is in .crt extension, but it is in PEM format (Other formats of root CA have not been tested.).

  3. Stop the Trend Micro DSM service

    # /opt/dsm/dsm_s stop

    Below is a sample output:

    [root@dsmlinux dsm]# /opt/dsm/dsm_s stop
    Shutting down dsm_s
    DSM running with pid 16614. Sending SIGTERM (-15) to stop process and shut down the DSM.
    DSM shut down after 10 seconds.

  4. Clean up the current .keystore.

    # mv /opt/dsm/.keystore /opt/dsm/.keystorebak

  5. Create a new .keystore and import the wildcard certificate

    # /opt/dsm/jre/bin/keytool -importkeystore -srckeystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx -srcstoretype pkcs12 -destkeystore .keystore -deststoretype JKS

    Below is a sample output:

    [root@dsmlinux dsm]# /opt/dsm/jre/bin/keytool -importkeystore -srckeystore  /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx -srcstoretype pkcs12 -destkeystore .keystore -deststoretype JKS
    Importing keystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx to .keystore...
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias {2373f689-1baf-4fb6-8fb0-64c34cdf1746} successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    Warning:
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry  standard format using "keytool -importkeystore -srckeystore .keystore -destkeystore .keystore -deststoretype  pkcs12".
    

    ...where /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx is the exported signed wildcard certificate from CA in PFX format.

  6. Import the Root CA Certificate into the Trusted Certificates.
    1. Backup first the cacerts file.
    2. When prompted for password, use changeit.
    3. When prompted with Trust this certificate?, type yes.

      # cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/jre/lib/security/cacerts.bak
      # /opt/dsm/jre/bin/keytool -import -alias root -trustcacerts -file /home/test/certs_20200419/rootCA.crt -keystore /opt/dsm/jre/lib/security/cacerts

    Below is a sample output:

    [root@dsmlinux ~]# cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/jre/lib/security/cacerts.bak
    [root@dsmlinux dsm]# /opt/dsm/jre/bin/keytool -import -alias root -trustcacerts -file  /home/test/certs_20200419/rootCA.crt -keystore /opt/dsm/jre/lib/security/cacerts
    Enter keystore password: changeit
    Owner: EMAILADDRESS=administrator@lab.local, CN=addns01.lab.local, OU=IT, O=Lab, L=Bacoor,  ST=Cavite, C=PH
    Issuer: EMAILADDRESS=administrator@lab.local, CN=addns01.lab.local, OU=IT, O=Lab, L=Bacoor,  ST=Cavite, C=PH
    Serial number: 1
    Valid from: Tue Feb 19 21:16:00 PST 2019 until: Mon Feb 19 21:16:00 PST 2029
    Certificate fingerprints:
             MD5:  F7:20:D9:EB:05:89:EA:BF:14:23:8D:4E:46:A0:DB:26
             SHA1: 6F:2B:34:27:41:1C:A5:8B:48:B8:52:76:30:F9:4F:4E:AF:F5:D9:51
             SHA256:  BB:F1:F9:1A:15:B9:14:F5:35:D4:8B:67:D9:B7:D0:D6:EB:00:D1:CA:45:BF:BC:9E:82:28:0B:FC:97:47:E6:13
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
    Extensions:
    #1: ObjectId: 2.5.29.19 Criticality=false
    BasicConstraints:[
      CA:true
      PathLen:2147483647
    ]
    #2: ObjectId: 2.5.29.37 Criticality=false
    ExtendedKeyUsages [
      serverAuth
      clientAuth
    ]
    #3: ObjectId: 2.5.29.15 Criticality=false
    KeyUsage [
      DigitalSignature
      Non_repudiation
      Key_Encipherment
      Data_Encipherment
      Key_Agreement
      Key_CertSign
      Crl_Sign
      Encipher_Only
      Decipher_Only
    ]
    Trust this certificate? [no]:  yes
    Certificate was added to keystore
    

    ...where /home/test/certs_20200419/rootCA.crt is the exported root CA Certificate.

    The first command is to backup /opt/dsm/jre/lib/security/cacerts. When importing to /opt/dsm/jre/lib/security/cacerts, the password is changeit.

  7. Change the configuration.properties file.
    1. Backup first the configuration.properties file.
    2. Modify the value of keystorePass with the keystore password specified on step 5.

      # cp /opt/dsm/configuration.properties /opt/dsm/configuration.properties.bak # vi /opt/dsm/configuration.properties

    Below is a sample output:

    [root@dsmlinux dsm]# cp /opt/dsm/configuration.properties /opt/dsm/configuration.properties.bak
    [root@dsmlinux dsm]# vi /opt/dsm/configuration.properties
    ------
    [root@dsmlinux dsm]# cat /opt/dsm/configuration.properties
    #
    #Sun Apr 19 02:01:39 PST 2020
    keystoreFile=/opt/dsm/.keystore
    fipsmodeEnabled=false
    port=4119
    keystorePass=VMware1!
    commandExe=dsm_c
    installed=true
    serviceName=dsm_s
    ------
    
  8. Start the Trend Micro DSM service.

    # /opt/dsm/dsm_s start

    Below is a sample output:

    [root@dsmlinux dsm]# /opt/dsm/dsm_s start
    Starting dsm_s

Below are sample results:

Update

There are certain cases the root CA certificate is not given, but only the .pfx copy of wildcard certificate. In this case, there is a command to derive the root CA certificate from the signed wildcard certificate. Alternatively, you can ask the CA provider a copy of the root CA certificate, if available.

openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>

You may refer to this site for details on How to export CA certificate chain from PFX in PEM format without bag attributes.

You need to do this on a Linux Machine with OpenSSL module because a certain version of OpenSSL for Windows has a bug and the application crashes.

Below is a sample output:

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000265547
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.