Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Replacing the IWSVA 6.5 admin console certificate with a DigiCert-signed certificate

    • Updated:
    • 24 Nov 2016
    • Product/Version:
    • InterScan Web Security Virtual Appliance 6.5
    • Platform:
    • Linux すべて

As part of compliance for most companies and organizations, there is a certificate replacement on applications including security software like Trend Micro's InterScan Web Security Virtual Appliance (IWSVA).

The certificates need to be replaced with a recognized and well-known signed certificates. A popular choice for signing the certificates is the DigiCert.


To get a DigiCert-signed certificate:

It is required to have IWSVA 6.5 Service Pack 1 Build Linux 1321 before performing the procedure.
  1. Log in to the IWSVA server via SSH using a root account.
  2. Navigate to the /tmp directory using the command below:

    # cd /tmp

  3. Run the following command to generate a Private Key and Certificate Signing Request (CSR):

    # openssl req -new -newkey rsa:2048 > new.cert.csr

  4. Collect the following files from the /tmp directory:
    • Private Key: privkey.pem
    • Certificate Signing Request: new.cert.csr
  5. Provide the new.cert.csr file to DigiCert to have it signed in Base-64 CRT format. DigiCert will then return the following files:
    • Intermediate Certificate: DigiCertCA.crt
    • Server Certificate: star_nus_edu_sg.crt
  6. Download the appropriate DigiCert Root Certificate, such as the DER Encoded Root Certificate: DigiCertGlobalRootCA.crt, from their website.
  7. Convert the downloaded root certificate from DER format to Base-64 encoded X.509 certificate (.CER). This is for consistency with the server and intermediate certificates.
    1. Open the root certificate.
    2. On the Details tab, click Copy to file to open the Certificate Export Wizard and click Next.
    3. Select Base-64 encoded X.509 (.CER) as the format and click Next.
    4. Save the file as Base-64_DigiCertGlobalRootCA.crt and make sure to save it in the proper location together with the other certificates, then click Next.
    5. Click Finish to complete the conversion. The root certificate should be Base-64_DigiCertGlobalRootCA.crt.cer.
  8. Copy the server, intermediate, and new root certificates into the /tmp directory of the IWSVA server.
  9. Concatenate the three (3) certificates into a single certificate named certchain.crt by using the following commands:

    # cat star_nus_edu_sg.crt > certchain.crt
    # cat DigiCertCA.crt >> certchain.crt
    # cat Base-64_DigiCertGlobalRootCA.crt.cer >> certchain.crt

  10. Convert the cert chain into a .p12 format:
    1. Execute the command below to start the conversion:

      # openssl pkcs12 -export -in certchain.crt -inkey privkey.pem -CAfile DigiCertCA.crt -name "IWSVA" -out NUS_IWSVA_CERT.p12

    2. Specify the password used in generating the .csr file in Step 4.
    3. Use the same password for the .p12 certificate export.
    4. Confirm the password for the .p12 certificate export.
  11. Export the NUS_IWSVA_CERT.p12 file.
  12. Access the IWSVA web console using plain HTTP.
  13. Navigate to Administration > Network Configuration > Web Console.
  14. Select SSL mode and upload the NUS_IWSVA_CERT.p12 certificate.
  15. Enter the appropriate SSL password and retain the port number if preferred.
  16. Wait for the message "Redirecting to port 1812 ..." to appear. We should lose connection after a few minutes since HTTP access to port 1812 is no longer available after opting to use HTTPS.
  17. Log in again to the IWSVA server via SSH using root account.
  18. Navigate to the Tomcat configuration directory using the command below:

    # cd /var/iwss/tomcat/conf

  19. Back up the server.xml file using the following command:

    # cp server.xml server.xml.orig

  20. Modify the server.xml using vi:

    # vi server.xml

  21. Modify the line for Connector port as follows to reflect the information in the certificate you uploaded:

    <Connector port="1812" maxHttpHeaderSize="8192" maxThreads="15" minSpareThreads="3" maxSpareThreads="8" enableLookups="true" disableUploadTimeout="true" connectionTimeout="900000" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="keystore" keystoreType="PKCS12" keystorePass="<your_keystore_password>" SSLEnabled="true"/>

  22. Save the changes and exit the server.xml file using the ":wq!" command.
  23. Restart the IWSVA application using the command below:

    # /var/iwss/rcIwss restart

  24. Access the IMSVA console using HTTPS on port 1812 to verify that it works properly.

If it still fails to work, revert the changes using the command below:

# /usr/iwss/AdminUI/configtomcat restore

Configure; Troubleshoot; Deploy; Install; Upgrade
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.