Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Setting up Self-Signed Certificate with a Subject Alternative Name (SAN) for Authentication Agent

    • Updated:
    • 29 Sep 2020
    • Product/Version:
    • Trend Micro Web Security All
    • Platform:
Summary

Modern browsers will prompt a warning if SAN is not present on the web page's certificate. This article describes the steps for building a Self-Signed Certificate with SAN for the Authentication Agent.

Details
Public

To set up an Authentication Agent Self-Signed Certificate with SAN (Subject Alternative Name):

On the machine where you installed the TMWS Authentication Agent:, create the following openssl.cnf file and save it to the folder you want:

[req]
default_bits = 2048
prompt = no
default_md = sha256
x509_extensions = v3_req
distinguished_name = dn
[dn]
C = PH #CHANGE THIS
ST = Pasig #CHANGE THIS
L = Ortigas #CHANGE THIS
O = Tekchallenge #CHANGE THIS
emailAddress = admin@tekchallenge.local #CHANGE THIS
CN = cs-scripts.tekchallenge.local #CHANGE THIS
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = cs-scripts.tekchallenge.local #CHANGE THIS

  1. Go to the following directory in cmd:

    C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin> cd "C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin"

     
    The above directory may not apply if you installed the Authentication Agent on another directory. You have to navigate to that directory instead and go to bin sub-directory under Apache-20.
  2. Use the following command to generate a self-signed certificate with SAN using the previous openssl.cnf file created:

    openssl.exe req -new -x509 -newkey rsa:2048 -sha256 -nodes -keyout auth.key -days 3560 -out auth.crt -config "C:\Users\Administrator\Desktop\WS AD Auth Certs Openssl\openssl.cnf"

     
    Note the -config parameter pointing to the exact location (absolute path) of the openssl.cnf file created earlier.

The follwing output files are located at C:\Program Files (x86)\Trend Micro\InterScan Web Security as a Service\AuthenticationAgent\Apache-20\bin\:

  • auth.key
  • auth.crt

Output Files

  1. Open Authentication Agent.
  2. Click Replace IWSaaS Certificate.

    Replace TMWS Authentication Agent Certificate

  3. Browse the auth.crt and auth.key file, and then click OK.

    Replace TMWS Authentication Agent Certificate

  4. Click OK.

    Replace TMWS Authentication Agent Certificate

On the endpoint(s) that will eventually connect to the machine where Authentication Agent is installed, copy and import the Self-Signed Certificate in Trusted Root Certificates (can instead do this via GPO).

  1. On the endpoint, open http://diagnose.iws-hybrid.trendmicro.com/.
  2. Click Log On at the bottom of the web page.

    Log in as Authentication Agent

  3. Enter your username and then click Log On.

    Log in as Authentication Agent

     

    Note that you are redirected to the TMWS Authentication Agent machine's FQDN (configured on TMWS Admin Console), the web page is HTTPS and no more certificate warning (upon successful import of self-signed certificate in Trusted Root Certificates).

    Log in as Authentication Agent

  4. Inspect the certificate.

    Log in as Authentication Agent

    Under the Details tab, it should have the Subject Alternative Name.

    Log in as Authentication Agent

Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000274736
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.