Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Generating and configuring the SSL Certificate in Windows 2003 Server using IIS 6.0

    • Updated:
    • 16 Oct 2015
    • Product/Version:
    • Mobile Security for Enterprise 8.0
    • Mobile Security for Enterprise 9.0
    • Mobile Security for Enterprise 9.1
    • OfficeScan 10.6
    • OfficeScan 11.0
    • Platform:
    • Windows 2003 Server R2
    • Windows 2003 Small Business Server
Summary

Generate and configure the SSL (Secure Sockets Layer) certificate in Windows 2003 Server using Internet Information Services (IIS) 6.0.

Details
Public

An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured web site, the SSL certificate enables an encrypted connection.

The Public SSL is installed on the server and all clients can use it. Its certificate is self-signed and configured to work only with the server’s name. That’s why it will always show a pop-up warning when used.

On the other hand, the Private SSL is issued especially for your domain by a trusted authority. Browsers can validate the private SSL and will show a secure icon.

iOS4 can use both HTTP and HTTPS but in iOS5 it requires all communications in HTTPS so it is needed that your Policy (Communication) server uses an SSL certificate.

To generate and configure the SSL certificate in Windows 2003 Server using Internet Information Services (IIS) 6.0:

The following procedure is for Private SSL Certificate.

  1. Install the Certification Authority Server.
     
    When a Policy and the Master server is/are installed on the same system, the OfficeScan virtual website is shared meaning both Policy and Master server is using the same folder. Follow the procedure below when you have both Policy and Master server installed on the same machine.
  2. Create a Certificate Signing Request (CSR).
    This procedure will make your OfficeScan web console inaccessible since there is no SSL certificate being used.
    1. Open the IIS Manager. From the Start button select Programs > Administrative Tools > Internet Information Services Manager.
    2. In IIS Manager, double-click the local computer.
    3. Select OfficeScan, then right-click Properties. Select the Directory Security tab, and then click the Server Certificates button in the Security section of the menu. This starts the Web Server Certificate Wizard.

      Click Server Certificates

    4. Click Next to continue.

      Click Next

    5. Select Remove the current certificate, then click Next to continue.
      OfficeScan has a default SSL certificate which is a 1024 bit length for the encryption level. Use the 2048 bit length encryption level. Since OfficeScan has a default SSL certificate, there will be no option in creating a new certificate. You need to remove the current certificate and replace it with a new one with 2048 bit length encryption level.

      Remove the current certificate

      Click Next.

    6. Removing the certificate does not totally delete the certificate from its list. Click Finish to confirm certificate removal.

      Click Finish.

    7. Again, click the Server Certificates button then click Next. Select Create a new certificate, then click Next to continue.

      Select Create a new certificate.

    8. Select Prepare the request now, but send it later. Click Next to continue.

      Select Prepare the request now, but send it later.

    9. In the Bit Length field, select 2048 for the encryption level, then tick Select cryptographic service provide CSP for this certificate. Click Next.

      Select 2048 for the encryption level.

    10. From the Available Providers window, select Microsoft RSA SChannel Cryptographic Provider, and then click Next.

      Select Microsoft RSA SChannel Cryptographic Provider

    11. Enter the legal name of your Organization and Organization Unit, which is the department within your organization. Click Next.

      Enter the legal name of your Organization and Organization Unit.

    12. In the Common name field, enter the NetBIOS, FQDN or the IP address of the server. Click Next.
      This should be used in TMMS’ communication settings between your Master and Policy Server.

      Enter the NetBIOS, FQDN or the IP address of the server.

    13. Enter the Country/Region, State/Province, and City/locality of your organization. Click Next to continue. In the Certificate Request File Name window, save the CSR to your computer. Take note of the location and filename.

      Enter the Country/Region, State/Province, and City/locality of your organization.

      Save the CSR to your computer.

    14. Review the information for the certificate request in the Request File Summary window. To make revisions, click Back or click Next, then click Finish.

      Request File Summary

  1. Go to Administrative > Certification Authority.
  2. Right-click the server name, and then select All Tasks > Submit new request. Locate and select the CSR created.

    Click All Tasks > Submit new request

    Locate and select the CSR created.

  3. Go to Pending Requests. Right-click the request and then select Issue. The request will immediately disappear and will and will reappear under Issued Certificates.

    Right-click the request and then select Issue.

    Issued Certificates

  4. Export the child certificate. Double-click on the newly signed and issued certificate then the Certificate Wizard opens. Click the Details tab then click the Copy to file button. The Certificate Export Wizard appears.

    Certificate Information

  5. Click Next.

    Click Next.

  6. Select DER encoded binary X.509 (.CER), and then click Next. Save the file to a target directory and name it as “Child-CA.cer”, so that it can be distinguished as the child certificate.

    Select DER encoded binary X.509 (.CER).

  7. Click Next.

    Click Next.

  8. Verify the information then click Finish. A window appears saying the export was successful. Click OK to close the window.

    Verify the information.

  9. Export the root certificate. On the same Certificate window click Certification Path then select the root certificate. Click View Certificate.

    Certification Path

  10. Click the Details tab and click Copy to File button. The Certificate Export Wizard appears then click Next to continue. Select the DER encoded binary X.509 (.CER) option, and then click Next.

    Select the DER encoded binary X.509 (.CER) option.

  11. Save the file to a target directory and name it as “Root-CA.cer” so that it can be distinguished as the root certificate. Verify the information and click Finish.

    Save the file to a target directory and name it as “Root-CA.cer” .

    A window should appear saying that the export was successful. Click Finish to close the windows.

    Certificate Export has been completed.

  1. Open IIS Manager and then right-click OfficeScan, and then select Properties.
  2. Go to Directory Security tab and then click Server Certificate. At this point since there is no certificate used by OfficeScan virtual website, the View Certificate button will be greyed-out.

    OfficeScan Properties

  3. Click Server Certificate > Next. Click Process pending request and install the certificate > Next.

    Select Process pending request and install the certificate.

  4. Locate and select the child certificate and then when prompted for the SSL port, set it to 4343.

    Locate and select the child certificate.

  5. Click Next.

    Set the port to 4343.

  6. Review and verify information. Click Finish to complete the request.

    Certificate Summary

    Click Finish to close all windows.

    Click Finish.

  7. Restart the OfficeScan virtual website to make sure that the changes take effect.

    You should be able to access the OfficeScan management console.Tthis means that the self-signed certificate has been binded to the OfficeScan virtual website

    The example below will show you the difference between when accessing the web console through IP address and FQDN.

    OfficeScan web console

    When using the IP address it will no longer prompt a certificate error and will show you a lock icon right after the address bar. This is due to the site’s common name is the IP address. As for the FQDN, when accessing the web console it will still prompt a certificate error and no lock icon.

    Please be sure of what to use on your site’s common name. In any case that you wish to revert to FQDN or NetBIOS name, you need to redo all the steps above.

    Certificate Error

For Public SSL certificate:

  1. Follow the instructions the public issuer’s web site on how to submit a certificate signing request. This has the same steps on how to create a CSR.
  2. After submitting and receiving the signed CSR, follow the steps provided by the issuer on how to apply the signed certificate on a specific operation system.
  1. Open IIS Manager then right-click OfficeScan.
  2. Go to Directory Security tab. Click the Server Certificate button.
  3. Click Export the current certificate to a .pfx file > Next. Select a target directory and filename.

    Click Export the current certificate to a .pfx file.

  4. Select a target directory and filename.

    Select a target directory and filename.

  5. Enter the password and click Next. Review and verify the information.

    Enter the password.

  6. Click Next > Finish to complete the export.

    Export Certificate Summary

  7. Upload the certificate. For more information, refer to the following topic from the Installation and Deployment Guide:Trend Micro Mobile Security – Client Profile Signing Credentials.
 
The reason behind of manually deploying the root certificate is because the self-signed certificate was only designed to your organization and just like any PC you need to manually install the certificate so that it can be recognized not unlike using certificate issued by a public issuers such as (just to name a few) Thawte, Verisign and GoDaddy.com their root certificate are pre-installed in a PC same with an iOS device.
  1. Install the root certificate on your computer:
    1. Double-click the root certificate.
    2. On the Certificate window, click Install Certificate.
    3. On the welcome screen, click Next.
    4. Keep the default settings, and then click Next.
    5. Click Finish to start the installation. A pop up message displays notifying that the certificate import was successful.
  2. Download and install the iPhone Configuration Utility.
  3. Create a Profile for iOS mobile devices:
    1. Start the iPhone Configuration Utility.
    2. Click Configuration Profiles from the Library list on the left pane.
    3. Click New to add a new profile in the profiles list.
    4. Select the new profile that you have created, and then select Credentials on the center pane.
    5. Click Configure on the Configure Credentials found on the right pane. The Personal Certificate Store displays.
    6. Select the root certificate from the list, and then click OK.
    7. Click General on the center pane, and then type the necessary information in the fields provided on the Identity area.
  4. Install the profile on the iOS mobile device by:
    1. Connect the iOS mobile device to the computer where you have installed the root certificate.
    2. Select the iOS mobile device from the
    3. Devices
    4. list on the left pane.
    5. On the Configuration Profiles tab, select the profile you just created, and then click Install. The iPhone Configuration Utility pushes the profile to the mobile device.
    6. On the mobile device, tap Install on the Install Profile screen.
    7. Tap Install Now on the Root Certificates pop message. The profile installation starts.
    8. After the profile is installed, tap Done on the Profile Installed screen.
Premium
Internal
Rating:
Category:
Configure; Deploy; Install
Solution Id:
1060664
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.