Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Generating, importing, and exporting a new self-signed OpenSSL certificate for InterScan Messaging Security Suite (IMSS)

    • Updated:
    • 31 Jan 2015
    • Product/Version:
    • InterScan Messaging Security Suite 7.1 Windows
    • InterScan Messaging Security Suite 7.5 Windows
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2000 Server
    • Windows 2003 Enterprise Server
    • Windows 2003 Standard Server Edition
    • Windows 2008 Enterprise Server
    • Windows 2008 Enterprise Server Edition 64-bit
    • Windows 2008 Standard Server Edition
    • Windows 2008 Standard Server Edition 64-bit
Summary
Create a new self-signed OpenSSL certificate via administration console.
By default, the IMSS SMTP Service already has a certificate installed and is ready for inbound Transport Layer Security (TLS) connections.
Details
Public
The SMTP Service requires both the IMSS Server Private Key and Certificate (Public Key) to be stored in unencrypted form, in a single PEM-format file.
To generate a certificate:
  1. Run the following command:
    openssl.exe req -new -x509 -days-nodes -config-out-keyout
    Where:
    reqCreates and processes certificate requests in PKCS#10 format
    -newPrompts for user information specified in the OpenSSL configuration file, such as: Country, State, Organization and Common Name
    -x509Creates a self-signed certificate rather than a certificate request
    -daysNumber of days that certificate will be valid
    -nodesPrivate Key is generated in unencrypted form and avoids prompting for a pass phrase every time the certificate is used
    -config <openssl_config_file>Path and file name of the OpenSSL configarion file (usually openssl.cnf)
    -*out <cert_name.pem>Path and file name of the certificate to be generated (both -out and -keyout arguments should point to the same file)
    Below is a sample screen output of the Certificate generation process using OpenSSL:
    E:\Program Files\Trend Micro\IMSS\ui\apache\bin>openssl.exe req -new -x509 -
    days 1460 -nodes -config openssl.cnf -out tsmtpd.pem -keyout tsmtpd.pem
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .................++++++
    ...................++++++
    writing new private key to 'tsmtpd.pem'
  2. Enter the information that would be incorporated into your certificate request. Enter a Distinguished Name or DN.
    There are some fields that you can leave blank, while others would have a default value. If you enter '.', the field will be left blank.
    Country Name (2 letter code) [PH]:
    Locality Name (eg, city) []:Manila
    Organization Name (eg, Company) []:Trend Micro
    Organizational Unit Name (eg, Department, Division) []:Global Training
    Common Name (eg, hostname or YOUR name) []:server01.tmcourse.net
    Email Address []:jm@support.trendmicro.com
    E:\Program Files\Trend Micro\IMSS\ui\apache\bin>
  3. Run the following command to change the certificate format to PFX, which is an acceptable format for version 7.1:
    openssl pkcs12 -export -out text.pfx -in
    where: "" is the .PEM file generated above
IMSS has the following restrictions:
  • Only unencrypted OpenSSL generated certificates are supported
  • Both Private and Public keys must be stored in the same PEM-format file
The\bin\pemverify.exe tool can be used to verify if a Certificate meets the requirements.
The generated certificate can then be uploaded to the SMTP Routing > Connections section of the administration console. The uploaded certificate is stored in tb_mta_config/ [Common]/ SSLCertData and can be exported to a file using the same section of the administration console.
Incoming TLS Settings
The default configuration of the IMSS SMTP Service does not require TLS for inbound connections to its SMTP port (default is port 25) but offers this option (STARTTLS) in response to the EHLO command from the SMTP client:
220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18
ehlo tmcourse.net
250-tmcourse.net
250-SIZE 16777216
250-8BITMIME
250 STARTTLS
The configuration can be modified to either force all inbound connections to use TLS or selectively force hosts to use TLS based on the IP address or Domain Name of the connection hosts (SMTP clients). When the SMTP Service is configured to force SMTP clients to use TLS and an SMTP client tries to send messages to the SMTP Service without first establishing TLS, the SMTP Service returns an error. Below is an example of such transaction:
220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18
ehlo tmcourse.net
250-tmcourse.net
250-SIZE 16777216
250-8BITMIME
250 STARTTLS
mail from: <>
530 Must issue a STARTTLS command first -
Outgoing TLS Settings
The IMSS SMTP Service can be configured to establish TLS communication for all outgoing messages. Use the administration console to set up. If configured and the downsteam SMTP server supports TLS, the TLS communication is established. Otherwise, unencrypted SMTP communication is used.
This global outgoing TLS setting can be overwritten by the individual Domain-based Relay Host and Default Delivery Relay Host settings discussed in section 4.4.1 on p.87 and section 4.4.2 on p.88 respectively.
Note: The SMTP Service does not verify the authenticity of the Certificate it receives from the downstream MTA, nor does it check if the Common Name in the Certificate matches the FQDN of the downstream MTA.
Windows 2008 is only supported in IMSS 7.1 for Windows. You can refer to the IMSS 7.1 for Windows Readme for more information.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1035429
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.