Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Frequently asked questions about Trend Micro SSL

    • Updated:
    • 18 Feb 2015
    • Product/Version:
    • Deep Security for Web Apps 2.0
    • Trend Micro SSL 2.0
    • Platform:
    • N/A N/A
Summary

This is article lists the most Frequently Asked Questions about Trend Micro SSL.

Details
Public

Which browsers support Deep Security for Web Apps certificates?

For more information, refer to the following KB article: Browsers and devices supported by Deep Security for Web Apps certificate.

What is the difference between DV, OV, and EV certificates?

For more information, refer to the following KB article: Difference between Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV) certificates.

Do I need to install the Deep Security for Web Apps root certificate?

Once you properly install the certificate chain on your web server, Deep Security for Web Appswill be trusted across 99% of browsers being used today.

Most users will have the Deep Security for Web Appsroot certificate installed. However, if you do not have it installed and you visit a site secured with a Deep Security for Web Appscertificate, the browser will ask you whether you want to trust certificates issued by Trend Micro. If the answer yes, the Deep Security for Web Appsroot certificates will be installed automatically. If the answer no, you can still opt to work within the secure session, but will be prompted again the next time you visit the site.

How do you know that you are accessing a trusted server?

When you access a server secured with a Deep Security for Web Apps certificate, you will see a padlock at the bottom, top, or in the address bar of your browser. If you click the padlock, you will see the details of the server’s SSL certificate.

If the server is secured with a Deep Security for Web AppsEV certificate, the browser address bar turns green in all browsers that support the EV standard, including Internet Explorer 7 or higher, Firefox 3 or higher, Opera 8 or higher, Chrome, and Safari.

How do I get 128-bit or 256-bit secure web sessions?

The strength of the Secure Sockets Layer (SSL) session created using Deep Security for Web Appscertificates is related to the strength of the user’s browser and your web server policy. If the browser supports 128-bit encryption, then a 128-bit session will be established with the web server. The same is true for 256-bit encryption.

If the browser only supports 40-bit encryption, then only a 40-bit session will be established – even if your web server supports 128 or 256-bit sessions.

If the browser only supports 40-bit encryption, Deep Security for Web Apps recommends upgrading to the latest supported version of the browser.

Should I use SHA-1 or SHA-2 for my certificates?

When you use Deep Security for Web Apps to request a certificate, you can specify whether to use a SHA-2 hash for the certificate signature. If you don’t select the SHA-2 option, the certificate will use SHA-1.

SHA-2 is a newer and stronger cryptographic algorithm than SHA-1, but SHA-1 certificates are still generally considered secure. SHA-2 certificates are supported on most modern browsers, operating systems, mail clients, and mobile devices. SHA-1 certificates are supported more widely because they are supported on older systems such as Windows XP SP2 or earlier. SHA-2 may also be required by certain regulations, for example, PCI compliance and certain federal regulations.

What is a wildcard certificate?

For more information, refer to the following article: Information about wildcard certificate.

How long are Deep Security for Web Apps certificates valid?

With your Deep Security for Web Apps account, you can issue 2-year OV and EV SSL certificates. As a part of the unlimited service, you can get as many certificates as you need, whenever needed. If you need an SSL certificate with a shorter validity period, you can simply revoke the certificate at any time.

How do I create a Certificate Signing Request (CSR)?

For the procedure, refer to the following KB article: Creating a Certificate Signing Request (CSR).

Can I use a CSR with a 1024-bit key length?

No. Recommendations from the National Institute of Standards and Technology (NIST) and mandatory requirements of the Microsoft Root Certificate Program state that certificates issued after January 1, 2011 should have a minimum key length of 2048 bits. To fully comply with these recommendations, all Trend Micro SSL certificates will have a minimum length of 2048 bits.

What should I do if I get a “CSR cannot be decoded or is invalid” message?

To resolve the issue, refer to the following KB article: Getting an error message “CSR cannot be decoded or is invalid” when ordering a certificate.

What is a weak RSA key?

Between 2006 and 2008, the Debian OpenSSL library contained a bug that resulted in the generation of weak, predictable keys for SSL certificates and other uses. The bug also compromises other keys and passwords that are transmitted over an encrypted link that uses weak keys.

When you request an SSL certificate by pasting a CSR into the Deep Security for Web Apps console, the console checks whether the CSR contains a Debian weak key. If the CSR contains a weak key, you will need to upgrade to the new version of the OpenSSL package and create a new CSR.

Which certificates do I have to install on my servers and does the order matter?

For more information, refer to the KB article: Installing SSL Certificates.

Where can I find and download the intermediate certificates I need?

For more information, refer to the KB article: Downloading intermediate certificates in Deep Security for Web Apps.

Which web servers are compatible with Deep Security for Web Apps certificates?

Deep Security for Web Apps certificates can be issued for any server that is compatible with the x.509 v3 standard and is able to make a certificate request in PKCS#10 format. This includes most recent servers, including:

  • Microsoft Internet Information Server (IIS) v3 or higher
  • Microsoft Communications Server
  • Apache
  • Nginx
  • Netscape Enterprise Server v3 or higher
  • Netscape Commerce Server v1 or higher
  • Netscape FastTrack Server
  • Stronghold Server
  • Internet Application Server 1.0
  • Netscape iPlanet Web Server 4.1
 
For Apache and Nginx Servers, Open SSL is needed.

How do I import and export SSL certificates in Windows?

For the procedure, refer to the following KB article: Importing and exporting SSL certificates in Windows.

How do I export or back up a certificate?

For the procedure, refer to the KB article: Exporting an SSL certificate for Deep Security for Web Apps 2.0.

Do I need to install the Trend Micro root certificate?

Normally, when you install an SSL certificate, you also need to install the intermediate CA certificates but not the root certificate. Unless your server vendor specifically requires you to install the root certificate, you should not install it on your web server.

You can download all of the required certificates from the Deep Security for Web Apps console. In the console, click Protection > Certificates. Click the Common Name of the certificate. On the Details page, click Download.

Do I require the Trend Micro chain certificate?

Yes. All certificates with a validity date later than 31 December 2010 require a chain certificate.

How many Deep Security for Web Apps SSL certificates are required in a load-balancing environment?

You need one Deep Security for Web Apps SSL certificate for each of your secure web servers (including any virtual web servers). With a Deep Security for Web Apps unlimited certificate account, there are no additional costs to support this.

How many servers can I secure with one SSL certificate?

As a part of the ground-breaking Deep Security for Web Apps unlimited certificate account, Deep Security for Web AppsSSL certificates are provided with licensing for an unlimited number of servers included in the standard price. This allows you to easily secure your primary server, a secondary or backup server, and a load balancer.

To move your certificate between servers, you need to install the certificate on the web server where you generated the CSR and then export the SSL certificate and its private key to a PFX or PKCS12 file. You can then import that file on another web server.

Can I secure my top-level domain with and without the “www.” sub-domain?

Yes. With Deep Security for Web Apps certificates, if you purchase an SSL certificate to secure www.yourcompany.com, it will also secure yourcompany.com.

How can I have 128-bit encryption key length for SSL when using Windows 2000 with IIS 5.0?

Upgrade to the Strong Encryption Pack for Windows 2000. See the Microsoft website to install the Strong Encryption Pack.

How do I renew or reissue an SSL certificate?

For the procedure, refer to the folllowing KB article: Re-issuing a Trend Micro SSL certificate if the private key is missing.

How do I renew a Deep Security for Web Apps certificate with IIS?

For the procedure, refer to the KB article: Renewing a Trend Micro SSL certificate with Internet Information Services (IIS).

What is Subject Alternative Name (SAN)?

For more information, refer to the KB article: Scenarios when adding Subject Alternative Names (SANs) to certificates.

I have moved servers. Can I use the same Deep Security for Web Apps SSL certificate?

Providing that the domain name does not change, you can use the same. Export the SSL certificate from the old web server and import it into the new one. Both the certificate and its associated private key must be exported and then imported, and the method for completing the export/import will depend on the type of web server software you are using.

You encounter any of the following scenarios:

  • You cannot export your certificate and the private key is missing.
  • You lost the private key for SSL.
  • You want to change the Common Name after the certificate has been issued.
  • You want to test if the SSL is installed correctly.
  • The page loads over https without error, however, the padlock does not appear.
  • You receive a warning stating that the page contains both secure and non-secure items.
  • You receive the error message “The name of the security certificate is invalid or does not match the name of the site”.

For the troubleshooting guide, refer to the KB article: Troubleshooting SSL issues in Deep Security for Web Apps 2.0.

What is an EV SSL certificate?

For more information, refer to the following KB article: Difference between Domain Validated (DV), Organization Validated (OV) and Extended Validation (EV) certificates.

Are non-EV SSL certificates still sufficient for securing online transactions?

From a cryptographic security perspective, yes, non-EV SSL certificates still result in encrypted SSL sessions.

However, the greatest threat to online transactions is not cryptographic in nature – it is fraudulent web sites luring users with phishing attacks. Phishing uses social engineering and counts on a consumer’s inability to discern between trustworthy sites and imposter sites.

The EV initiative is the result of the industry realizing that there needs to be a more readily-identifiable for users to know they are on a valid site. From a usability perspective, non-EV certificates have decreasing effectiveness, as consumers adopt new browsers and come to expect the strong trust indicators provided by EV SSL certificates while conducting transactions.

How do Deep Security for Web Apps EV certificates increase consumer confidence?

With online fraud on the rise and phishing becoming a common occurrence, consumers are concerned with identity theft and would like increased confidence in the sites they use to perform transactions online. If consumers feel the site is not trusted and their personal information is unprotected, they may leave the site and take their business to another vendor.

Deep Security for Web Apps EV certificates help to increase consumer confidence by displaying prominent and consistent trust indicators while consumers are conducting online transactions. When a website has a Deep Security for Web Apps EV certificate installed:

  • A lock appears in the address bar of the browser
  • The address bar turns green and displays the identity of the site.
  • You can click the lock to view information about the server’s SSL certificate.

Should I switch to Deep Security for Web Apps EV certificates?

If you are operating a website that conducts e-commerce transactions or if you collect sensitive or private information, you should consider switching to Deep Security for Web Apps EV certificates. There is no additional cost to your organization thanks to the unlimited certificate service that Trend Micro provides.

What is the CA/Browser Forum?

The CA/Browser Forum is a group of Certification Authority service providers, web browser manufacturers, and other industry participants that work together to look at ways to reduce the threat of phishing and other internet attacks.

Trend Micro actively works in this group and strongly supports its work.

What is the EV certificate vetting process?

As defined by the CA Browser (CAB) Forum guidelines, the Extended Validation vetting process establishes the legitimacy of an organization within a specific jurisdiction of incorporation. It also clearly identifies the organization’s principal place of business through a rigorous and stringent set of well-defined validation processes. The process encompasses authentication of the organization’s domain ownership rights as well as contractually binding the organization to a subscriber agreement, which benefits relying parties and strengthens the security of the Internet as a whole.

Does the Deep Security for Web Apps EV certificate show the green address bar?

The use of a Deep Security for Web Apps EV certificate will turn the browser address bar green in all browsers that support the EV standard, including Internet Explorer 7 or higher, Firefox 3 or higher, Opera 8 or higher, Chrome, and Safari.

 
Internet Explorer 7 requires that the phishing filter be turned on in order for the address bar to turn green.

How do browsers respond when they visit a website with an invalid certificate?

In most browsers, a very apparent red address bar will appear, indicating that you may have accessed a known phishing site or that the certificate is not valid in some way.

A red alert blocks immediate access to reported phishing sites, although users can proceed to the site if they wish.

Internet Explorer includes prominent warnings to users and will recommend users not visit the page.

If the user ignores the warnings and continues the address bar turns red and red warning ‘security badges’ appear.

Can I get free reissues of my EV certificates?

Absolutely. As a part of the unlimited service you enjoy from Deep Security for Web Apps, you can reissue an SSL certificate any time during its lifetime, without any additional charge. This can all be done easily through the Deep Security for Web Apps console.

Who can purchase a Deep Security for Web Apps EV certificate?

A broad range of business entities, as per rigid guidelines, are able to purchase an EV certificate:

Private Organization: A non-governmental legal entity (whether ownership interests are privately held or publicly traded) whose existence was created by a filing with (or an act of) the Incorporating Agency in its Jurisdiction of Incorporation.

Government Entity: A government-operated legal entity, agency, department, ministry, or similar element of the government of a country, or political subdivision within such country (such as a state, province, city, county, etc.).

Business Entity: Any entity that is neither a Private Organization nor a government entity. Examples include general partnerships, unincorporated associations, and sole proprietorships.

Can I upgrade my existing SSL certificates to Deep Security for Web Apps EV certificates?

Yes. With some additional effort (as mandated under the EV guidelines), your organization can deploy an unlimited amount of EV certificates to your online businesses and enjoy the increase confidence they bring to end users.

What are the validation requirements for Extended Validation (EV) SSL certificates?

For more information on validation requirements, refer to the following KB artlcle: Validation requirements for Extended Validation (EV) SSL certificates.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Install; Register
Solution Id:
1097549
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.