Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Replacing Cloud CA in Trend Micro Web Security (TMWS)

    • Updated:
    • 7 Feb 2021
    • Product/Version:
    • Trend Micro Web Security All
    • Platform:
    • N/A
Summary

This article provides the steps on how to change the Cloud CA to fix the Cloud CA leak issue in Trend Micro Web Security (TMWS).

Details
Public

Precondition

If some decryption rules use the cross-sign CA, cross-sign your own CA using the new CA CSR. Refer to the TMWS Online Help topic: Cross-signing the CA Certificate for TMWS Cloud Proxy.

Steps

To replace the old on-premises with TMWS 3.4.1 version, do the following:

  1. Log on the management console and go to Policies > Global Settings to download the new HTTPS root ca.

    download the new HTTPS root ca

  2. Deploy the new cert to your clients and make sure your clients have trusted this new CA.

    For steps on how to deploy the certificate, refer to the TMWS Online Help topic: TMWS Certificate Deployment.

     
    Please make sure you have finished the Step 2 before running the following steps or your end users may get certificate untrusted warning message when visiting the Internet.
     
  3. Rename the cert name from "current_cloud_ca_cert.cer" to "current_cloud_ca_cert.pem" as the default CA file.
  4. Go to Policies > HTTPS INSPECTION > Decryption Rules.

     
    If the Decryption Rules is disabled, enable this feature in the Global Settings page.
     
    1. Click one Rule Name to edit the Decryption Rule.
    2. Click Choose file to select the cert file renamed in Step 2 if using the old default CA, or select the new cross-signed CA prepared in the Precondition.

      select the renamed cert file

      Then it will show the new default CA info as shown in the following image:

      new default CA info

      Or show the new cross-signed CA, for example:

      new cross-signed CA

    3. Click Save.
  5. Update all other https policies based on Step 3.
  6. Users can add new https policies with the new default CA in default.

Verification

Users can configure one https rule to decrypt all traffic if there is not one that exist before. Then users can trigger the https traffic in the client to check the https cert chain.

  • For the default CA:

    default CA

  • For the cross-sign CA:

    cross-sign CA

 
Your browser may have the certificate cache if the certificate chain is old. Please try again after some time.
 
Premium
Internal
Partner
Rating:
Category:
Configure; Update
Solution Id:
000285576
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.