Replace the Deep Security Manager SSL certificate

Deep Security Manager creates a 10-year self-signed certificate for the connections between the Deep Security Manager console and users' web browsers. However, for added security, you can replace it with certificates from a trusted certificate authority (CA). (Such certificates are maintained after a Deep Security Manager upgrade.)

You will be working with the following two Deep Security Manager keystore files

  • <DSM_installation_folder>/jre/lib/security/cacerts

    The cacerts file contains the Deep Security Manager trusted public keys for the CA server, intermediate CA server and the Deep Security application server.

  • <DSM_installation_folder>/.keystore

    The .keystore file contains the certificate and private key for the Deep Security application server. To use your own certificate(s), you will need to import them to the .keystore file.

To replace the SSL certificate in a Windows environment you will need to:

  1. Create a new .keystore file and add your certificates to the cacerts file
  2. Create a PKCS12 keychain file and import it into the new .keystore file
  3. Configure Deep Security Manager to use the new .keystore file

To replace the SSL certificate in a Linux environment you will need to:

  1. Create a new .keystore file and add your certificates to the cacerts file
  2. Create a PKCS12 keychain file and import it into the new .keystore file
  3. Configure the Deep Security Manager to use the new .keystore file

If you have enabled FIPS mode (see FIPS 140-2 support), you will need to disable FIPS mode before replacing the certificate and then re-enable FIPS mode when you're finished.

See your trusted certificates

Click Administration > System Settings > Security > View Certificate List to view a list of all security certificates accepted by Deep Security Manager.

Replace the SSL certificate in a Windows environment

Create a new .keystore file and add your certificates to the cacerts file

  1. Create backups of the following files:

    • <DSM_installation_folder>/jre/lib/security/cacerts
    • <DSM_installation_folder>/.keystore
    • <DSM_installation_folder>/configuration.properties
  2. Create a new .keystore file:

    "%ProgramFiles%\Trend Micro\Deep Security Manager\jre\bin\keytool.exe" -genkey -alias tomcat -keyalg RSA -dname cn=<Deep Security Manager server host name or FQDN> -storepass <keystore password>

  3. Generate a certificate signing request file from the new .keystore file with the following commands:

    cd "%ProgramFiles%\Trend Micro\Deep Security Manager\jre\bin\"

    keytool.exe -certreq -keyalg RSA -alias tomcat -keystore %userprofile%\.keystore -storepass <keystore password> -file certrequest.csr

  4. Send the certrequest.csr file to your CA for signing. Your CA will provide you with the following certificates:

    Root CA certificate: rootCA.cer

    Intermediate CA certificate: intermediateCA.cer

    Application server certificate: dsm.cer

  5. Move the certificates and the new .keystore file into the %userprofile%\certs\ directory.

  6. Import the certificates into the cacerts file with the following commands:

    The cacerts file requires a unique alias for each certificate. If you have multiple intermediate CA certificates, each one should have a unique alias (for example, intermd1, intermd2, intermd3). You must import the certificates in the same order as that determined by your CA.

    cd "%ProgramFiles%\Trend Micro\Deep Security Manager\jre\bin\"

    keytool.exe -import -alias root -trustcacerts -file %userprofile%\certs\rootCA.cer -keystore "%ProgramFiles%\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" -storepass changeit

    keytool.exe -import -alias intermd1 -trustcacerts -file %userprofile%\certs\intermediateCA.cer -keystore "%ProgramFiles%\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" -storepass changeit

    keytool.exe -import -alias tomcat -trustcacerts -file %userprofile%\certs\dsm.cer -keystore "%ProgramFiles%\Trend Micro\Deep Security Manager\jre\lib\security\cacerts" -storepass changeit

Create a PKCS12 keychain file and import it into the new .keystore file

To maintain the relationship between the certificates, you must create a PKCS12 keychain file and import the root CA, the intermediate CA and the application server certificates into it using openssl.

  1. Generate the private key from the new .keystore file with the following commands:

    cd %ProgramFiles%\Trend Micro\Deep Security Manager\jre\bin\

    keytool.exe -importkeystore -srckeystore %userprofile%\certs\.keystore -srcstorepass <keystore password> -deststoretype PKCS12 -destkeystore %userprofile%\certs\keystore.p12 -storepass <p12 keystore password>

    cd %ProgramFiles(x86)%\GnuWin32\bin\

    openssl pkcs12 -in %userprofile%\certs\keystore.p12 -passin pass:<above p12 keystore password you specified> -nocerts -out %userprofile%\certs\private.pem -passout pass:<private pem password>

    openssl rsa -in %userprofile%\certs\private.pem -passin pass:<above private pem password> -out %userprofile%\certs\private.key

  2. Create a certificate for the keychain file from the root and intermediate CA certificates:

    Combine the certificates in the order provided by your CA.

    copy %userprofile%\certs\intermediateCA.cer+%userprofile%\certs\rootCA.cer %userprofile%\certs\CAcertchain.cer

  3. Create the PKCS12 keychain:

    You will need to create the PKCS12 keychain in a Linux environment. At the time of this article's publication, there is an openssl bug in Windows that will cause openssl to crash if you use the -name option. As Java requires each key have an alias, you will not be able to import the PKCS12 keychain into the new .keystore file without using this option. Create the PKCS12 keychain In a Linux environment with the below command.

    openssl pkcs12 -export -in ~/certs/dsm.cer -inkey ~/certs/private.key -certfile ~/certs/CAcertchain.cer -out dsm.p12 -name tomcat -passout pass:<keychain password>

  4. Import the PKCS12 keychain into the new .keystore file:

    cd %ProgramFiles%\Trend Micro\Deep Security Manager\jre\bin\

    keytool.exe -importkeystore -srckeystore %userprofile%\certs\dsm.p12 -srcstoretype pkcs12 -srcalias tomcat -srcstorepass <keychain password> -destkeystore %userprofile%\certs\.keystore -storepass <keystore password> -destalias tomcat

Configure Deep Security Manager to use the new .keystore file

  1. Overwrite the .keystore file in the Deep Security Manager installation directory with the new .keystore file:

    Only the default .keystore file is kept when you upgrade Deep Security Manager. We recommend that you replace the existing .keystore file.
  2. Open the configuration.properties file, find the keystorePass= parameter, and replace the value with the one you specified for the <keystore password> in step 2 of the Create a new .keystore file and add your certificates to the cacerts file procedure.

  3. Restart the Deep Security Manager service.
  4. Open the Deep Security Manager console with https://< Deep Security Manager server host name or FQDN>:4119 and make sure there is no certificate error message. The <Deep Security Manager server host name or FQDN> should be the one used in step 2 of the Create a new .keystore file and add your certificates to the cacerts file procedure.

Replace the SSL certificate in a Linux environment

Create a new .keystore file and add your certificates to the cacerts file

  1. Create backups of the following files:

    <DSM_installation_folder>/jre/lib/security/cacerts

    <DSM_installation_folder>/.keystore

    <DSM_installation_folder>/configuration.properties

  2. Create a new .keystore file:

    /opt/dsm/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -dname cn=<Deep Security Manager server host name or FQDN> -storepass <keystore password>

  3. Generate a certificate signing request file from the new .keystore file:

    /opt/dsm/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -keystore ~/.keystore -storepass <keystore password> -file certrequest.csr

  4. Send the certrequest.csr file to your CA for signing. Your CA will provide you with the following certificates:

    Root CA certificate: rootCA.cer

    Intermediate CA certificate: intermediateCA.cer

    Application server certificate: dsm.cer

  5. Move the certificates and the new .keystore file into the ~/certs directory.

  6. Import the certificates into the cacerts file with the following commands:

    The cacerts file requires a unique alias for each certificate. If you have multiple intermediate CA certificates, each one should have a unique alias (for example, intermd1, intermd2, intermd3). You must import the certificates in the same order as that determined by your CA.

    keytool -import -alias root -trustcacerts -file ~/certs/rootCA.cer -keystore /opt/dsm/jre/lib/security/cacerts -storepass changeit

    keytool -import -alias intermd1 -trustcacerts -file ~/certs/intermediateCA.cer -keystore /opt/dsm/jre/lib/security/cacerts -storepass changeit

    keytool -import -alias tomcat -trustcacerts -file ~/certs/dsm.cer -keystore /opt/dsm/jre/lib/security/cacerts -storepass changeit

Create a PKCS12 keychain file and import it into the new .keystore file

To maintain the relationship between the certificates, you must create a PKCS12 keychain file and import the root CA, the intermediate CA and the application server certificates into it using openssl.

  1. Generate the private key from the new .keystore file with the following commands:

    /opt/dsm/jre/bin/keytool -importkeystore -srckeystore ~/certs/.keystore -srcstorepass <keystore password> -deststoretype PKCS12 -destkeystore ~/certs/keystore.p12 -storepass <p12 keystore password>

    openssl rsa -in ~/certs/keystore.p12 -inform PKCS12 -passin pass:<above p12 keystore password you specified> -out ~/certs/private.key

  2. Create a certificate for the keychain file from the root and intermediate CA certificates:

    cat ~/certs/intermediateCA.cer ~/certs/rootCA.cer > ~/certs/CAcertchain.cer

    Combine the certificates in the order provided by your CA.

  3. Create the PKCS12 keychain:

    openssl pkcs12 -export -in ~/certs/dsm.cer -inkey ~/certs/private.key -certfile ~/certs/CAcertchain.cer -out dsm.p12 -name tomcat -passout pass:<keychain password>

  4. Import the PKCS12 keychain into the new .keystore file:

    /opt/dsm/jre/bin/keytool -importkeystore -srckeystore ~/certs/dsm.p12 -srcstoretype pkcs12 -srcalias tomcat -srcstorepass <keychain password> -destkeystore ~/certs/.keystore -storepass <keystore password> -destalias tomcat

Configure the Deep Security Manager to use the new .keystore file

  1. Overwrite the .keystore file in the Deep Security Manager installation directory with the new .keystore file:

    cp ~/certs/.keystore /opt/dsm/.keystore

    Only the default .keystore file is kept when you upgrade Deep Security Manager. We recommend that you replace the existing .keystore file.
  2. Open the configuration.properties file, find the keystorePass= parameter, and replace the value with the one you specified for the <keystore password> in step 2 of the Create a new .keystore file and add your certificates to the cacerts file procedure.

  3. Restart the Deep Security Manager service.
  4. Open the Deep Security Manager console with https://< Deep Security Manager server host name or FQDN>:4119 and make sure there is no certificate error message. The <Deep Security Manager server host name or FQDN> should be the one used in step 2 of the Create a new .keystore file and add your certificates to the cacerts file procedure.