Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Creating a PKCS12 certificate with SAN information for multiple InterScan Web Security Virtual Appliance (IWSVA) servers

    • Updated:
    • 28 Jan 2021
    • Product/Version:
    • Interscan Web Security Virtual Appliance 6.5
    • Platform:
Summary

For customer deployments with multiple IWSVA servers requiring a non-self-signed certificate, SAN information can be added to the certificate to include all IWSVA servers.

By including the SAN information in the certificate, the customer’s certificate renewal process can be simplified as they only have to create and apply for a single certificate instead of one per IWSVA server.

Details
Public

Customers may experience either of the following issue:

  • Already using PKCS12 format certificate prior to IWSVA SP2 Patch 4 Critical Patch 1901 installation are suddenly unable to access the IWSVA Web Admin Console after applying CP Build 1901.
  • Customers that are currently on SP2 Patch4 CP 1901 are suddenly unable to access the IWSVA Web Admin Console after replacing the web console certificate with a PKCS12 format certificate.

This is due to the security proxy being able to support only the JKS keystore format and not PKCS12.

As a result, secproxy cannot start normally and users will not be able to access the web console.

By including the SAN information in the certificate, the customer’s certificate renewal process can be simplified as they only have to create and apply for a single certificate instead of one per IWSVA server.

To include the SAN information into a certificate, do the following:

  1. Log into the IWSVA server via SSH as root.
  2. Create the SAN directory inside /tmp and go to it:

    [root@iwsva ~]# mkdir /tmp/SAN
    [root@iwsva ~]# cd /tmp/SAN

    Create SAN directory

  3. Inside the SAN directory, create the san.cnf in /tmp/SAN directory using the touch command.

    [root@iwsva SAN]# touch san.cnf

  4. Edit the newly created san.cnf using the text editor vi.

    [root@iwsva SAN]# vi san.cnf

  5. Type the lines shown in the following sample san.cnf with the proper values for each field.

    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    req_extensions     = req_ext
    prompt = no
    [ req_distinguished_name ]
    countryName = Country Name (2 letter code)
    stateOrProvinceName = State or Province Name (full name)
    localityName = Locality Name (eg, city)
    organizationName = Organization Name (eg, company)
    commonName = Common Name (e.g. server FQDN or YOUR name)
    [ req_ext ]
    subjectAltName = @alt_names
    [alt_names]
    DNS.1   = IWSVA1 hostname or FQDN (whichever will be used to access the URL) 
    DNS.2   = IWSVA1 hostname or FQDN (whichever will be used to access the URL)
    DNS.3   = IWSVA1 hostname or FQDN (whichever will be used to access the URL)
    

    sample san.cnf

  6. Exit “vi” using :wq!
  7. Generate the CSR together with the Private Key (privkey.pem) using the san.cnf config as a single file together:

    [root@iwsva SAN]# openssl req -new -newkey rsa:2048 -config san.cnf > san.csr

  8. Type in the appropriate PEM pass phrase:

    type PEM pass

  9. Using WinSCP, export the san.csr file and open it with Notepad.

    export san.csr file

  10. Cut the Private Key information from san.csr,

    (starting with -----BEGIN ENCRYPTED PRIVATE KEY----- and ending at
    -----END ENCRYPTED PRIVATE KEY-----) and save it in a new text file privkey.pem.

    Cut Private Key information

  11. With only the certificate request remaining from the original file san.csr, save it and have the customer submit it to their CA for digital signing in Base-64 CRT format.

    submit certificate request

  12. Once signed, create a new text file named san_certchain.crt and add the information for the following certificates:

    • SAN certificate
    • Intermediate Certificate (if applicable)
    • Root Certificate

    create a new text file

  13. Import the following files back into the IWSVA Server’s /tmp/SAN directory:

    • san_certchain.crt
    • privkey.pem

    Import files back into the IWSVA Server

  14. Create the PKCS12 format certificate with san_certchain.crt and privkey.pem by using the command below:

    [root@iwsva SAN]# openssl PKCS12 -export -in san_certchain.crt -inkey privkey.pem -name “IWSVA” -out san_cert.p12

  15. Key in the appropriate PEM pass phrase and Export Password:

    key in PEM pass phrase and Export Password

  16. Export the generated san_cert.p12 file via WinSCP.
  17. Open the web console and go to Administration>>Network>>Web Console
  18. Select SSL mode and find the san_cert.p12 certificate and click on Upload.
  19. After Upload is successful, enter the Export Password then click on Save.
  20. Wait for a few minutes then access the IWSVA via SSH.
  21. Modify the 8443 and 9091 connector information on the /var/iwss/tomcat/conf/server.xml file and add in keystoreType=”PKCS12” parameter and value respectively using vi:

    add parameter and value

  22. Restart the IWSVA application via the command below:

    [root@iwsva SAN]# /var/iwss/rcIwss restart

    Restart IWSVA application

     
    This will interrupt the network traffic for a few minutes so plan accordingly.
     
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000284506
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.