Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

"Invalid CA certificates detected" appears on InterScan Messaging Security Virtual Appliance (IMSVA) web console

    • Updated:
    • 3 Jul 2019
    • Product/Version:
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • Platform:
    • N/A N/A
Summary

When you log on to the IMSVA web console, the following warning message appears:

"Invalid CA certificates detected."

invalid certificate

Root cause:

The alert indicates that certain imported or pre-imported CA certificates are expired. The related CA certificates are listed under Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates. Refer to the following screenshot. Note that the certificates with “No” in Valid column are the ones that triggered the alert.

IMSVA installation package comes with many pre-imported CA certificates, many of them are now expired.

Root cause

Impact:

These CA certificates are used to authenticate the sending MTAs’ identity (for Messages Entering IMSVA) and the receiving MTAs’ identity (for Messages Existing IMSVA). Because many MTAs on the Internet are not configured with certificates signed by valid CA, authenticating MTAs by verifying their certificates will result in many false-alarms. Therefore, by default, IMSVA will NOT authenticate sending/receiving MTAs by verifying their certificates. This implies that these CA certificates are not used at all, by default.

To verify if your IMSVA is impacted by the invalid CA certificates, check if any of your TLS settings are set to “Verify” in Security Level, which is Opportunistic by default. Refer to the following screenshot:

Entering IMSVA

Exiting IMSVA

If you have enabled or will need to enable “Verify” for specific domains, you can ask the domain owners to provide their CA certificates, or you can download them if those CA certificates are publicly available , and then import them via IMSVA console. Refer to the next section for details.

Details
Public

If none of your TLS setting uses “Verify”, the issue doesn’t impact your IMSVA. You can safely delete all pre-imported certificates to avoid the alert message.

Deleting the expired certificates

  1. Open the IMSVA web console and navigate to Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates.
  2. Select the invalid certificates whose Valid column is in red, click Delete. Or you can delete all the pre-imported CA certificates in the list, while keeping the ones you imported.
    Refer to the following screenshot:

    Deleting the expired certificate

Importing a new certificate

  1. Convert the CA certificate file to PEM format. You may refer to this article: DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
  2. Open IMSVA web console and navigate to Administration > IMSVA Configuration > Transport Layer Security > Trusted CA Certificates.
  3. Click Import, select the CA certificate file and then import it.

    Importing a new certificat

Premium
Internal
Rating:
Category:
Troubleshoot
Solution Id:
1123072
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.