Using Your Company CA Certificate for TMWS On-Premises

Views:

This section describes how to replace the default TMWS CA certificate with your company's CA certificate for HTTPS decryption on the on-premises gateway. Your own CA certificate will take precedence over the CA certificate you have configured on the management console.

Log in to the ESXi server of the on-premises gateway as the root user through the command console.
Check the following:
- If you have your own CA certificate, ensure the files that carry the private key, passphrase, and certificate content are available on the machine, and change their names to default_key.cer, .default.passphrase, and default.cer respectively.
- If you do not have your own CA certificate, perform the following steps to generate the key, passphrase, and certificate files.
  1. Run the following openssl command and specify a password when prompted to generate the HTTPS private key file:
    
    openssl genrsa -des3 -out default_key.cer 2048
  2. Run the following openssl command and type the password that you have specified in the previous step when prompted to generate the CA certificate file:
    
    openssl req -x509 -days <validity period in days> -new -key default_key.cer -out default.cer
    
    Note:
    Trend Micro recommends that you generate your CA certificate with a longer validity period, for example, 20 years.
  3. Run the following shell command to generate the .default.passphrase file:
    
    /usr/iwss/bin/encpw your_password > .default.passphrase
  Important:
  The file names must be default_key.cer, .default.passphrase, and default.cer and cannot be changed.
- The administrator has a basic knowledge of openssl and shell commands.
Locate the three files and copy them to the /opt/trend/iwss_usr/bin/ directory.
Run the following command to replace the default CA certificate with your company's CA certificate:
bash /opt/trend/iwss_usr/bin/use_default_ca.sh replace default.cer default_key.cer .default.passphrase

Your company's CA certificate takes effect.

Note:
Execution of this command leads to a proxy service reboot. Trend Micro recommends you run the command at a proper time to avoid affecting your service continuity.

If you need to stop using your company's CA certificate, run the following command:

bash /opt/trend/iwss_usr/bin/use_default_ca.sh disable

The CA certificate that you have configured on the management console applies immediately.

If you need to reuse your company's CA certificate, run the following command:

bash /opt/trend/iwss_usr/bin/use_default_ca.sh enable

Your company's CA certificate applies immediately.

Note:

Execution of this command leads to a proxy service reboot. Trend Micro recommends you run the command at a proper time to avoid affecting your service continuity.