Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How to deploy wildcard certificate in Deep Security Manager (DSM) Linux

    • Updated:
    • 27 Aug 2020
    • Product/Version:
    • Deep Security All
    • Platform:

Know the steps in deploying wildcard certificate in DSM Linux. Take note that you have access to a Certificate Authority (CA) or Internal CA Tool (e.g. XCA) before proceeding.


Follow these steps:

  1. Create the wildcard certificate.

    On the CA Tool (e.g. XCA), create a CSR (Certificate Signing Request) for wildcard certificate. Sign it using the CA Tool.

    Below is an example:

  2. Export the signed wildcard certificate and root CA certificate and transfer it to DSM Linux.

    Note that the .p12 file of the wildcard certificate should be ignored.

    1. You may use WinSCP to transfer the files

    2. Verify the files that have been copied.

      root CA certificate is in .crt extension, but it is in PEM format (Other formats of root CA have not been tested.).

  3. Stop the Trend Micro DSM service

    # /opt/dsm/dsm_s stop

    Below is a sample output:

    [root@dsmlinux dsm]# /opt/dsm/dsm_s stop
    Shutting down dsm_s
    DSM running with pid 16614. Sending SIGTERM (-15) to stop process and shut down the DSM.
    DSM shut down after 10 seconds.

  4. Clean up the current .keystore.

    # mv /opt/dsm/.keystore /opt/dsm/.keystorebak

  5. Create a new .keystore and import the wildcard certificate

    # /opt/dsm/jre/bin/keytool -importkeystore -srckeystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx -srcstoretype pkcs12 -destkeystore .keystore -deststoretype JKS

    Below is a sample output:

    [root@dsmlinux dsm]# /opt/dsm/jre/bin/keytool -importkeystore -srckeystore  /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx -srcstoretype pkcs12 -destkeystore .keystore -deststoretype JKS
    Importing keystore /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx to .keystore...
    Enter destination keystore password:
    Re-enter new password:
    Enter source keystore password:
    Entry for alias {2373f689-1baf-4fb6-8fb0-64c34cdf1746} successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry  standard format using "keytool -importkeystore -srckeystore .keystore -destkeystore .keystore -deststoretype  pkcs12".

    ...where /home/test/certs_20200419/lab_local_wildcard_cert_pfx.pfx is the exported signed wildcard certificate from CA in PFX format.

  6. Import the Root CA Certificate into the Trusted Certificates.
    1. Backup first the cacerts file.
    2. When prompted for password, use changeit.
    3. When prompted with Trust this certificate?, type yes.

      # cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/jre/lib/security/cacerts.bak
      # /opt/dsm/jre/bin/keytool -import -alias root -trustcacerts -file /home/test/certs_20200419/rootCA.crt -keystore /opt/dsm/jre/lib/security/cacerts

    Below is a sample output:

    [root@dsmlinux ~]# cp /opt/dsm/jre/lib/security/cacerts /opt/dsm/jre/lib/security/cacerts.bak
    [root@dsmlinux dsm]# /opt/dsm/jre/bin/keytool -import -alias root -trustcacerts -file  /home/test/certs_20200419/rootCA.crt -keystore /opt/dsm/jre/lib/security/cacerts
    Enter keystore password: changeit
    Owner: EMAILADDRESS=administrator@lab.local, CN=addns01.lab.local, OU=IT, O=Lab, L=Bacoor,  ST=Cavite, C=PH
    Issuer: EMAILADDRESS=administrator@lab.local, CN=addns01.lab.local, OU=IT, O=Lab, L=Bacoor,  ST=Cavite, C=PH
    Serial number: 1
    Valid from: Tue Feb 19 21:16:00 PST 2019 until: Mon Feb 19 21:16:00 PST 2029
    Certificate fingerprints:
             MD5:  F7:20:D9:EB:05:89:EA:BF:14:23:8D:4E:46:A0:DB:26
             SHA1: 6F:2B:34:27:41:1C:A5:8B:48:B8:52:76:30:F9:4F:4E:AF:F5:D9:51
             SHA256:  BB:F1:F9:1A:15:B9:14:F5:35:D4:8B:67:D9:B7:D0:D6:EB:00:D1:CA:45:BF:BC:9E:82:28:0B:FC:97:47:E6:13
    Signature algorithm name: SHA256withRSA
    Subject Public Key Algorithm: 2048-bit RSA key
    Version: 3
    #1: ObjectId: Criticality=false
    #2: ObjectId: Criticality=false
    ExtendedKeyUsages [
    #3: ObjectId: Criticality=false
    KeyUsage [
    Trust this certificate? [no]:  yes
    Certificate was added to keystore

    ...where /home/test/certs_20200419/rootCA.crt is the exported root CA Certificate.

    The first command is to backup /opt/dsm/jre/lib/security/cacerts. When importing to /opt/dsm/jre/lib/security/cacerts, the password is changeit.

  7. Change the file.
    1. Backup first the file.
    2. Modify the value of keystorePass with the keystore password specified on step 5.

      # cp /opt/dsm/ /opt/dsm/ # vi /opt/dsm/

    Below is a sample output:

    [root@dsmlinux dsm]# cp /opt/dsm/ /opt/dsm/
    [root@dsmlinux dsm]# vi /opt/dsm/
    [root@dsmlinux dsm]# cat /opt/dsm/
    #Sun Apr 19 02:01:39 PST 2020
  8. Start the Trend Micro DSM service.

    # /opt/dsm/dsm_s start

    Below is a sample output:

    [root@dsmlinux dsm]# /opt/dsm/dsm_s start
    Starting dsm_s

Below are sample results:


There are certain cases the root CA certificate is not given, but only the .pfx copy of wildcard certificate. In this case, there is a command to derive the root CA certificate from the signed wildcard certificate. Alternatively, you can ask the CA provider a copy of the root CA certificate, if available.

openssl pkcs12 -in <filename.pfx> -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > <cacerts.cer>

You may refer to this site for details on How to export CA certificate chain from PFX in PEM format without bag attributes.

You need to do this on a Linux Machine with OpenSSL module because a certain version of OpenSSL for Windows has a bug and the application crashes.

Below is a sample output:

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.