Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Setting up TLS on multiple InterScan Messaging Security Virtual Appliance (IMSVA) 8.0 servers

    • Updated:
    • 13 Oct 2015
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 8.5
    • Platform:
    • Linux - Red Hat RHEL 5 64-bit
Summary

Enable TLS across your IMSVA servers, and generate a certificate with multiple Subject Alternative Names (SANs).

Details
Public

To enable TLS and generate a certificate:

  1. Create a backup of the /etc/pki/tls/openssl.cnf file.
  2. Edit /etc/pki/tls/openssl.cnf with the following:
    1. Under [CA_default]:

      dir = /etc/pki/CA # Where everything is kept
      # Extension copying option: use with caution.
      copy_extensions = copy

    2. Under [req]:

      req_extensions = v3_req

    3. Under [v3_req]:

      subjectAltName = @alt_names [alt_names]
      DNS.1 = servermx1.domain.com
      DNS.2 = servermx2.domain.com

  3. Create an empty index.txt file in the /etc/pki/CA directory using the following command:

    [root@imsva80b ~]# touch /etc/pki/CA/index.txt

  4. Create the serial file with initial content in the /etc/pki/CA directory using the following command:

    [root@imsva80b ~]# echo "01" > /etc/pki/CA/serial

  5. Generate the TLS certificate. Run the following commands:

    openssl req -x509 -newkey rsa:1024 -keyout /tmp/root_key.pem -out
    /tmp/root_req.pem
    openssl genrsa -out /tmp/imsva_key.pem 1024
    openssl req -new -key /tmp/imsva_key.pem -out /tmp/imsva_req.pem

    Note: Imsva_req.pem is the certificate with multiple Subject Alternative Name.

  6. Run the following command to check the certificate:

    openssl req -text -noout -in /tmp/imsva_req.pem

  7. Sign the certificate:

    openssl ca -days 365 -cert /tmp/root_req.pem -keyfile
    /tmp/root_key.pem -in /tmp/imsva_req.pem -out /tmp/imsva_cert.pem -outdir /tmp

    Using the configuration from /etc/pki/tls/openssl.cnf, enter the password for /tmp/root_key.pem: trend.

    Check that the request matches the signature
    Signature ok
    Certificate Details:
    Serial Number: 2 (0x2)
    Validity
    Not Before: Oct 22 09:36:59 2010 GMT
    Not After : Oct 22 09:36:59 2011 GMT
    Subject:
    countryName = US
    stateOrProvinceName = MY State
    organizationName = My Company
    organizationalUnitName = Global Training
    commonName = mailmx.mydomain.com
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment
    OpenSSL Generated Certificate
    X509v3 Subject Key Identifier:
    11:E5:CE:C6:57:08:CA:45:E4:F2:16:6D:CE:18:AE:22:32:13:A3:45
    X509v3 Authority Key Identifier:
    keyid:5B:B4:06:4D:8D:12:D0:B3:36:A7:6B:3A:FD:F2:C8:83:4A:DD:AA:BD
    Certificate is to be certified until Oct 22 09:36:59 2011 GMT (365 days)
    Sign the certificate? [y/n]:y
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

    Note: The X509v3 Subject Alt Names will display the alternative server names for the certificate.

  8. Deploy the keys in the IMSVA console.
    1. Import the root_req.pem file. Go to IMSVA Configuration > SMTP Routing > Connections > TLS Setting > CA Certificate.
    2. Import the imsva_key.pem file. Go to IMSVA Configuration > SMTP Routing > Connections > TLS Setting > Private Key.
    3. Import the imsva_cert.pem file. Go to IMSVA Configuration > SMTP Routing > Connections > TLS Setting > SMTP server certification.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1057294
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.