Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Preparing a valid-signed certificate on the OfficeScan (OSCE) Edge Relay Server

    • Updated:
    • 6 Oct 2017
    • Product/Version:
    • OfficeScan XG.All
    • Platform:
    • Windows 2012 Server R2
Summary

The OSCE Edge Relay Server generates self-signed certificates by default when installation finishes. In some cases, signing by valid Certificate Authority (CA) is required.

This article illustrates how to prepare a valid-signed certificate on the OSCE Edge Relay Server.

Details
Public

Edge Relay Server uses makecert.exe, a Microsoft tool, to generate, import, and sign certificates. In the Edge server folder (<Installation Folder>\OfcEdgeSvc\web\service\), there is one copy for the administrator to manually update the certificate. To sign the certificate with a third-party trust CA, it depends on how administrator stores them.

To sign the certificate:

 
Please apply Hot Fix Build 1736 or later and upgrade Edge Relay Server to at least Build 1736.

Situation 1

If the administrator stores the Public key and Private key in one file, the file format of the trust CA would be xxx.pfx. In this situation, the administrator has to import the trust CA into the server:

  1. Locate the trust CA file (e.g. testCA.pfx).

    testCA.pfx

  2. Import testCA.pfx to Trusted Root Certification Authorities of localMachine. The key icon on the upper-left corner means this key contains the Private key.

    testCA

  3. Navigate to <Installation folder>\OfcEdgeSvc\web\service\.
  4. To generate a third-party CA signed OsceEdgeRoot, please launch makecert.exe with following command:

    makecert.exe -n "CN=OsceEdgeRoot" -pe -a sha256 -len 2048 -is root -ss root -sr localmachine -ir localmachine -cy authority -in "testCA"

  5. To generate all other necessary certificates for Edge Relay Server, please run the following command:

    OfcEdgeCfg.exe --renewcert --keeprootca --certpwd "YourPassword"

Situation 2

If the administrator stores the Public key and the Private key in different files, the Public key will be stored in xxx.cer and the Private key in xxx.pvk. Please follow the procedures below:

  1. Locate the trust CA files (e.g. testCA.cer, testCA.pvk).

    testCA.cer - testCA.pvk.

  2. Import testCA.cer to Trusted Root Certification Authorities of localMachine. Please note that it should only contain the Public key.

    testCA

  3. To generate a third-party CA signed OsceEdgeRoot, please launch makecert.exe with following command:

    makecert.exe -n "CN=OsceEdgeRoot" -pe -a sha256 -len 2048 -iv path\to\testCA.pvk -ic path\to\testCA.cer -ss root -sr localMachine -cy authority

  4. Key in the password of the CA private key and click OK.
  5. To generate all other necessary certificates for Edge Relay Server, please run following command:

    OfcEdgeCfg.exe --renewcert --keeprootca --certpwd "YourPassword"

After the aforementioned procedures, all certificates of the Edge Relay Server should be signed by a third-party trust CA.

OSCE Edge Relay

Reference

The options of makecert.exe are shown below:

OptionsDescription
-ic fileSpecifies the issuer's certificate file
-ik keyNameSpecifies the issuer's key container name
-iky keytypeSpecifies the issuer's key type, which must be one of the following: signature (which indicates that the key is used for a digital signature), exchange (which indicates that the key is used for key encryption and key exchange), or an integer that represents a provider type. By default, you can pass 1 for an exchange key or 2 for a signature key.
-in nameSpecifies the issuer's certificate common name
-ip providerSpecifies the issuer's CryptoAPI provider name. For information about the CryptoAPI provider name, see the –sp option.
-ir locationSpecifies the location of the issuer's certificate store. The location can be either currentuser (the default) or localmachine.
-is storeSpecifies the issuer's certificate store name
-iv pvkFileSpecifies the issuer's .pvk private key file
-iy typeSpecifies the issuer's CryptoAPI provider type. For information about the CryptoAPI provider type, see the –sy option.
-ip IssuerProviderNameCryptoAPI provider for issuer. The default is the user's provider. For information about CryptoAPI providers, see the CryptoAPI 2.0 documentation.
-ir IssuerCertStoreLocationRegistry location of the issuer's certificate store. IssuerCertStoreLocation must be either LocalMachine (registry key HKEY_LOCAL_MACHINE) or CurrentUser (registry key HKEY_CURRENT_USER). CurrentUser is the default.
-is IssuerCertStoreNameIssuer's certificate store that includes the issuer's certificate and its associated private key information. If there is more than one certificate in the store, the user must uniquely identify it by using the -ic or -in option. If the certificate in the certificate store is not uniquely identified, MakeCert will fail.
-iv IssuerKeyFileIssuer's private key file. The default is the test root.

Please go to Microsoft official site for more information.

Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1118503
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.