Modern browsers will prompt a warning if SAN is not present on the web page's certificate. This article describes the steps for building a Self-Signed Certificate with SAN for the Authentication Agent.
To set up an Authentication Agent Self-Signed Certificate with SAN (Subject Alternative Name):
On the machine where you installed the TMWS Authentication Agent:, create the following openssl.cnf file and save it to the folder you want:
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
C = PH #CHANGE THIS
ST = Pasig #CHANGE THIS
L = Ortigas #CHANGE THIS
O = Tekchallenge #CHANGE THIS
emailAddress = email@example.com #CHANGE THIS
CN = cs-scripts.tekchallenge.local #CHANGE THIS
subjectAltName = @alt_names
DNS.1 = cs-scripts.tekchallenge.local #CHANGE THIS
- Go to the following directory in cmd:
C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin> cd "C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin"The above directory may not apply if you installed the Authentication Agent on another directory. You have to navigate to that directory instead and go to bin sub-directory under Apache-20.
- Use the following command to generate a self-signed certificate with SAN using the previous openssl.cnf file created:
openssl.exe req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout auth.key -days 3560 -out auth.crt -config "C:\Users\Administrator\Desktop\WS AD Auth Certs Openssl\openssl.cnf"Note the -config parameter pointing to the exact location (absolute path) of the openssl.cnf file created earlier.
The follwing output files are located at C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin\:
On the endpoint(s) that will eventually connect to the machine where Authentication Agent is installed, copy and import the Self-Signed Certificate in Trusted Root Certificates (can instead do this via GPO).
- On the endpoint, open http://diagnose.iws-hybrid.trendmicro.com/.
- Click Log On at the bottom of the web page.
- Enter your username and then click Log On.
- Inspect the certificate.
Under the Details tab, it should have the Subject Alternative Name.