Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Generating and configuring SSL Certificates for Mobile Security (TMMS)

    • Updated:
    • 17 Feb 2015
    • Product/Version:
    • Mobile Security for Enterprise 7.1 Advanced
    • Mobile Security for Enterprise 7.1 Standard
    • Mobile Security for Enterprise 8.0
    • OfficeScan 10.6
    • Platform:
    • iOS 4.0+
    • iOS 5.0+
Summary

Learn how to generate and configure Secure Sockets Layer (SSL) Certificate for TMMS.

 
TMMS requires a private SSL server certificate or an SSL server certificate issued from a recognized Public Certificate Authority to ensure the secure communication between mobile devices and the Policy Server using Hypertext Transfer Protocol Secure (HTTPS).
Details
Public

You have two (2) options on how you can generate and configure the SSL Certificate. You can either create a self-signed certificate or buy a public issued Certificate Authority (CA) to be used in TMMS. 

Using a Private SSL requires companies to push the HTTPS certificate manually to the iOS device via iPhone Configuration Utility. This is because the company root CeA is unknown to the iOS device. If you have several iOS devices, you have to physically connect the devices to deploy the SSL certificate.

  1. Install a standalone CA on the Policy Server. Refer to the following links:
  2. Generate a CSR for the SSL certificate.
  3. Sign and export the SSL certificate.
    1. Go to Start > Administrative Tools > Certification Authority.
    2. Right-click the server name, and then click All TasksSubmit New Request.

      certification authority

    3. Select the CSR you created.

      saving the CSR

    4. Go to Pending Requests and right-click the request, and then select Issue.

      issue pending requests

      The request will immediately disappear and will reappear under Issued Certificates.

      request will show in issued certificates

    5. Export the root and child CA.

      To export the child CA:

      1. Double-click the newly issued CA.

        export root and child CA

      2. Go to the Details tab and click Copy to File. The Certificate Export Wizard appears.

        certificate export wizard

      3. Click Next.
      4. Select the DER encoded binary X.509 (.CER) option, then click Next.

        DER encoded binary

      5. Name the file as "Child-CA.cer" and save it in a target directory.

        child CA

      6. Check and verify the information provided and click Finish. A window will appear saying the export was successful. 
      To export the root CA:
      1. On the same certificate, go to the Certification tab.
      2. Select the top certificate and click View Certificate.

        view certificate

      3. Go to the Details tab, select Copy to File and then click Next.

        copy to file root CA

      4. Select DER encoded binary X.509 (.CER) then click Next.

        certificate export wizard

      5. Name the file as “Root-CA.cer” and save it in a target directory.
      6. Verify the information provided and click Finish. A window should appear saying that the export was successful.
      7. Click OK to close all windows.
  4. Apply the Private SSL certificate on the Policy server.
    1. Open the IIS Manager, right-click the OfficeScan virtual website and select Properties.
    2. Go to the Director Security tab, click Server Certificate, and then click Next.

      officescan directory security

    3. Select Process pending request and install the certificate, and then click Next.

      process pending request

    4. Select the child certificate Child-CA.cer when the wizard prompts for what certificate to install. Then click Open and select the default settings.

      child CA certificate

    5. Click OK to close the OfficeScan virtual website properties.
    6. Start the OfficeScan virtual website to make sure that the changes take effect.
      The Private SSL certificate is now binded to the OfficeScan virtual website. When you access the OfficeScan management console, you should NOT receive a certificate error. This means the certificate has been verified.
      The lock icon should appear on the upper right corner of the browser.

      officescan virtual website

  5. Export the Private SSL certificate to be uploaded in TMMS as the Client Profile Signing Credential in the iOS settings tab.
    1. Open the IIS Manager and right-click the OfficeScan virtual website and then select Properties.
    2. Go to the Directory Security tab > Server Certificate.
    3. Select Export the current certificate to a .pfx file then click Next.

      IIS certificate wizard

    4. Enter the desired location and filename.

      export certificate path and filename

    5. Provide the password and click Next until you finish the wizard.

      certificate password

  6. Apply the Private SSL to an iOS device via iPhone Configuration Utility.
    1. Install the root certificate on your computer by performing the following steps:
      1. Double-click the root certificate and on the Certificate window click Install Certificate.
      2. On the welcome screen, click Next.
      3. Keep the default setting, and click Next.
      4. Click Finish to start the installation. A pop up message displays notifying that the certificate import was successful.
    2. Download and install the iPhone Configuration Utility.
    3. Create a profile for iOS mobile devices.
      1. Start the iPhone Configuration Utility and click Configuration Profiles from the Library list on the left pane. 
      2. Click New to add a new profile in the profiles list.
      3. Select the new profile that you have created, then select Credentials from the center pane.
      4. Click Configure on the Configure Credentials on the right pane. The Personal Certificate Store window appears. 

        iPhone configuration utility

      1. Select the root certificate from the list and then click OK.
      2. Click General on the center pane and then on the Identity area, type the relevant information in all the text fields provided.
    4. Install the profile on the iOS mobile device.
      1. Connect the iOS mobile device to the computer where you have installed the root certificate.
      2. On the Devices list, select the iOS mobile device.
      3. On the Configuration Profiles tab, select the profile you created, and then click Install. The iPhone Configuration Utility will push the profile to the mobile device.
      4. On the mobile device, tap Install on the Install Profile screen.
      5. Tap Install Now when the Root Certificates pop message appears. The profile installation will start.
      6. After the profile is installed, tap Done on the Profile Installed screen.
  7. Apply the Private SSL certificate PFX file and Apple Push Notification PFX file to the TMMS management console.
    1. Log in to the TMMS management console.
    2. Go to iOS Settings and configure the APNS field with the exported Apple Push Notification PFX File.

      iOS settings

      If you are using the SCEP add-on, enter the SCEP server details.
      If not, leave the SCEP fields blank.
    3. Configure the client profile signing credential with the exported HTTPS/SSL certificate PFX file.
    4. Click Save.

Using a Public Issued CA is automatically deployed to iOS devices being enrolled. Unlike a Private SSL, the root CA is already pre-installed on iOS devices (i.e. GoDaddy, PublicSSL, Verisign, etc.).

To get and install a public SSL Certificate, do the following:

  1. Generate a Certificate Signing Request (CSR).
  2. Purchase a public SSL certificate from an SSL certificate provider using the CSR file you created in Step 1, and save it as a .cer file. Refer to the certificate provider's website on how to submit the CSR. The certificate provider should provide instructions on how to apply the signed certificate on a specific operating system.
  3. Export the HTTPS/SSL cerficate to a PFX file.
    1. Open the IIS Manager.
    2. Right-click the Officescan virtual website and select Properties.
    3. Go to the Directory Security tab and click Security Certificate.
    4. Select Export the current certificate to a .pfx file then click Next.

      export IIS certificate

    5. Enter the desired location and filename.

      location and filename for exported certificate

    6. Provide the password and click Next until you finish the wizard.
  4. Apply the SSL certificate PFX file and Apple Push Notification PFX file to the TMMS management console.
    1. Log in to the TMMS management console.
    2. Go to iOS Settingsand configure the APNS field with the exported Apple Push Notification PFX File.

      iOS settings

      If you are using the SCEP add-on, enter the SCEP server details.

      If not, leave the SCEP fields blank.

    3. Configure the client profile signing credential with the exported HTTPS/SSL certificate PFX file.
    4. Click Save.
Premium
Internal
Rating:
Category:
Configure; Deploy; Install
Solution Id:
1060437
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.