As part of compliance for most companies and organizations, there is a certificate replacement on applications including security software like Trend Micro's InterScan Web Security Virtual Appliance (IWSVA).
The certificates need to be replaced with a recognized and well-known signed certificates. A popular choice for signing the certificates is the DigiCert.
To get a DigiCert-signed certificate:
- Log in to the IWSVA server via SSH using a root account.
- Navigate to the /tmp directory using the command below:
# cd /tmp
- Run the following command to generate a Private Key and Certificate Signing Request (CSR):
# openssl req -new -newkey rsa:2048 > new.cert.csr
- Collect the following files from the /tmp directory:
- Private Key: privkey.pem
- Certificate Signing Request: new.cert.csr
- Provide the new.cert.csr file to DigiCert to have it signed in Base-64 CRT format. DigiCert will then return the following files:
- Intermediate Certificate: DigiCertCA.crt
- Server Certificate: star_nus_edu_sg.crt
- Download the appropriate DigiCert Root Certificate, such as the DER Encoded Root Certificate: DigiCertGlobalRootCA.crt, from their website.
- Convert the downloaded root certificate from DER format to Base-64 encoded X.509 certificate (.CER). This is for consistency with the server and intermediate certificates.
- Open the root certificate.
- On the Details tab, click Copy to file to open the Certificate Export Wizard and click Next.
- Select Base-64 encoded X.509 (.CER) as the format and click Next.
- Save the file as Base-64_DigiCertGlobalRootCA.crt and make sure to save it in the proper location together with the other certificates, then click Next.
- Click Finish to complete the conversion. The root certificate should be Base-64_DigiCertGlobalRootCA.crt.cer.
- Copy the server, intermediate, and new root certificates into the /tmp directory of the IWSVA server.
- Concatenate the three (3) certificates into a single certificate named certchain.crt by using the following commands:
# cat star_nus_edu_sg.crt > certchain.crt
# cat DigiCertCA.crt >> certchain.crt
# cat Base-64_DigiCertGlobalRootCA.crt.cer >> certchain.crt - Convert the cert chain into a .p12 format:
- Execute the command below to start the conversion:
# openssl pkcs12 -export -in certchain.crt -inkey privkey.pem -CAfile DigiCertCA.crt -name "IWSVA" -out NUS_IWSVA_CERT.p12
- Specify the password used in generating the .csr file in Step 4.
- Use the same password for the .p12 certificate export.
- Confirm the password for the .p12 certificate export.
- Execute the command below to start the conversion:
- Export the NUS_IWSVA_CERT.p12 file.
- Access the IWSVA web console using plain HTTP.
- Navigate to Administration > Network Configuration > Web Console.
- Select SSL mode and upload the NUS_IWSVA_CERT.p12 certificate.
- Enter the appropriate SSL password and retain the port number if preferred.
- Wait for the message "Redirecting to port 1812 ..." to appear. We should lose connection after a few minutes since HTTP access to port 1812 is no longer available after opting to use HTTPS.
- Log in again to the IWSVA server via SSH using root account.
- Navigate to the Tomcat configuration directory using the command below:
# cd /var/iwss/tomcat/conf
- Back up the server.xml file using the following command:
# cp server.xml server.xml.orig
- Modify the server.xml using vi:
# vi server.xml
- Modify the line for Connector port as follows to reflect the information in the certificate you uploaded:
<Connector port="1812" maxHttpHeaderSize="8192" maxThreads="15" minSpareThreads="3" maxSpareThreads="8" enableLookups="true" disableUploadTimeout="true" connectionTimeout="900000" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="keystore" keystoreType="PKCS12" keystorePass="<your_keystore_password>" SSLEnabled="true"/>
- Save the changes and exit the server.xml file using the ":wq!" command.
- Restart the IWSVA application using the command below:
# /var/iwss/rcIwss restart
- Access the IMSVA console using HTTPS on port 1812 to verify that it works properly.
If it still fails to work, revert the changes using the command below:
# /usr/iwss/AdminUI/configtomcat restore