Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Replacing the DSM Admin Console certificate with the DigiCert SAN certificate in Deep Security 9.5

    • Updated:
    • 12 Jan 2016
    • Product/Version:
    • Deep Security 9.5
    • Platform:
    • Windows 2008 Enterprise 64-bit
Summary

For Deep Security implementations wherein multiple DSM servers require a third-party signed certificate to be used for the admin console, the SAN certificate is a good option for minimizing the number of certificates to be requested from the customer's CA.

The SAN certificate contains the information of all DSM servers that will be using this certificate for its admin console.

 
The steps below are specific to DigiCert as the Certificate Authority and the steps to input the SAN attribute can only be done during the submission of the certificate signing request to DigiCert. Access to the DigiCert submission portal is required for this.
Details
Public

To replace the DSM Admin Console certificate with the DigiCert SAN certificate:

  1. Backup the files below to the newly created folder Backupkeystore:
    • C:\Program Files\Trend Micro\Deep Security Manager\.keystore
    • C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts
    • C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties
  2. Generate the new .keystore file under C:\Program Files\Trend Micro\Deep Security Manager\jre\bin directory using this command:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -keystore .keystore

     
    2048-bit keysize and SHA256 with RSA algorithm are used for the .keystore file for compliance with Singapore financial and government institution requirements.
  3. Fill in the required information for the .keystore file, making sure to declare only the common name that will be used in the SAN certificate. Take note of the .keystore password as this will be used further in the procedure.
  4. Generate the certificate signing request based on this new .keystore file under C:\Program Files\Trend Micro\Deep Security Manager\jre\bin directory using this command:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -certreq -alias tomcat -keystore .keystore -file certreq.csr

  5. Submit the certreq.csr file to DigiCert CA. Make sure to include in your certificate request to DigiCert, the SAN attributes that should be included in the certificate.
  6. Once you have the certificate from DigiCert in .p7b format, extract the following from it:
    • Server certificate – alias tomcat
    • Intermediate certificate – alias intermediate
  7. Obtain the root certificate from DigiCert as well for importing to the .keystore file.
    • Root certificate – alias root
  8. Once all three files are obtained, move them to a central location on the DSM server. Create a new folder named “cert files” and place them all there: C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files.
  9. Stop the Deep Security Manager service.
  10. Delete the original .keystore file in \Deep Security Manager\ directory with the new one generated under \jre\bin.
  11. Once you have the new .keystore file in the proper location, let’s import the root certificate first using this command:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -trustcacerts -alias root -file "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files\root_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\.keystore"

     
    Make sure you indicate in the command the correct root certificate file name.
  12. Import the intermediate certificate chain next into the same .keystore file:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -trustcacerts -alias intermediate -file "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files\intermediate_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\.keystore"

     
    Make sure you indicate in the command the correct intermediate certificate file name.
  13. Import the server certificate last in the same .keystore file:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -trustcacerts -alias tomcat -file "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files\server_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\.keystore"

     
    Make sure you indicate in the command the correct intermediate certificate file name.
  14. Since you already have a backup from Step 1, delete the original cacerts file in \Deep Security Manager\jre\lib\security\ directory.
  15. Once deleted, import the root certificate first into the new cacerts file:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -trustcacerts -alias root -file "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files\root_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts"

     
    • Make sure you indicate in the command the correct root certificate file name.
    • You will be asked to provide a password for the new cacerts file, please use the same one with the .keystore file.
  16. Import the intermediate certificate chain next into the same .keystore file:

    keytool -import -trustcacerts -alias intermediate -file "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files\intermediate_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts"

     
    Make sure you indicate in the command the correct intermediate certificate file name.
  17. Import the server certificate last in the same .keystore file:

    C:\Program Files\Trend Micro\Deep Security Manager\jre\bin>keytool -import -trustcacerts -alias tomcat -file "C:\Program Files\Trend Micro\Deep Security Manager\jre\bin\cert files\server_cert.cer" -keystore "C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts"

     
    Make sure you indicate in the command the correct intermediate certificate file name.
  18. Modify the configuration.properties file inside C:\Program Files\Trend Micro\Deep Security Manager\ directory.
    1. Locate the string keystorePass=and replacewith the password you previously supplied.
    2. Save the changes made.
  19. Start the Deep Security Manager service.
  20. Access the Deep Security Manager console and verify the certificate used and its attributes.
    • Verify also the certificate chain.
    • Check for warnings or errors with the certificate.
     
    Once the certificate replacement has been verified to be successful on the first server, you can proceed to replace the certificate used on the console of the other DSM servers the SAN certificate is meant for.
  21. For the new servers, follow step 1 in this document. Backup the files below to the newly created folder Backupkeystore.
    • C:\Program Files\Trend Micro\Deep Security Manager\.keystore
    • C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts
    • C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties
  22. Stop the Deep Security Manager service on the new server.
  23. Replace the .keystore file in the new servers with the completed new .keystore file from the first server.
    • Source: First server - C:\Program Files\Trend Micro\Deep Security Manager\.keystore
    • Destination: New server - C:\Program Files\Trend Micro\Deep Security Manager\.keystore
  24. Replace the cacerts file in the new servers with the completed new cacerts file from the first server.
    • Source: First server - C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts
    • Destination: New server - C:\Program Files\Trend Micro\Deep Security Manager\jre\lib\security\cacerts
  25. On the new server, modify the configuration.properties file inside C:\Program Files\Trend Micro\Deep Security Manager\ directory.
    1. Locate the string keystorePass=and replacewith the password you previously supplied.
    2. Save the changes made.
  26. Start the Deep Security Manager service on the new server.
  27. Access the Deep Security Manager console of the new server and verify the certificate used and its attributes.
    • Verify also the certificate chain.
    • Check for warnings or errors with the certificate.
  28. Repeat steps 21 – 27 for all the other servers that will make use of the same SAN cert.
 
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1113271
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.