Replace the Deep Security Manager TLS certificate

During installation, Deep Security Manager auto-generates a self-signed TLS certificate for web console access. You can replace this default certificate with a certificate from a trusted certificate authority (CA) after the installation is complete.

The certificates are maintained when you upgrade Deep Security Manager.

Replacing the default certificate with an invalid certificate or an incomplete certificate chain can cause Deep Security Manager to become unreachable. Before replacing the certificate, carefully read the instructions in this section.

Follow the steps in either Option A or Option B to replace the Deep Security Manager TLS certificate:

Option A - Request a brand new certificate for the Deep Security Manager domain name

This is the most reliable way to replace the certificate.

  1. If you have enabled FIPS mode (see FIPS 140-2 support), disable FIPS mode before replacing the certificate and then re-enable FIPS mode when you're finished.
  2. Generate the private key and keystore.
  3. Generate a CSR and request a certificate.
  4. Import the signed certificate into the keystore.
  5. Configure Deep Security to use the signed certificate store.

Option B - Use an existing Java Key Store file

This scenario covers situations where the file was backed up from a previous installation or created for a common domain such as a wildcard certificate.

  1. Ensure you have the complete certificate chain. If necessary, consult with the CA that issued your certificate.
  2. If you have enabled FIPS mode (see FIPS 140-2 support), disable FIPS mode before replacing the certificate and then re-enable FIPS mode when you're finished.
  3. Configure Deep Security to use the signed certificate store.

Learn about Java Keystores

Java Keystores are used to contain certificates used by Java-based applications. If you're not familiar with Java Keystores and Keytool, DigitalOcean provides a good explanation of the concepts in their article, Java Keytool Essentials: Working with Java Keystores.

Generate the private key and keystore

  1. On the computer where Deep Security Manager is running, open a command prompt as an administrator.
  2. Change the directory to:
    • Windows:
      C:\Program Files\Trend Micro\Deep Security Manager\jre\bin
    • Linux:
      /opt/dsm/jre/bin
  3. Run the following command to generate a private key and a new key store.
    • Windows:
      keytool -genkey -keyalg RSA -alias tomcat -keystore C:\Users\Administrator\.keystore -validity 365 -keysize 2048
    • Linux:
      keytool -genkey -keyalg RSA -alias tomcat -keystore ~/.keystore -validity 365 -keysize 2048

    • Enter keystore password:

      What is your first and last name?

      [Unknown]: <HOSTNAME>

      What is the name of your organizational unit?

      [Unknown]: <COMPANY_OU>

      What is the name of your organization?

      [Unknown]: <COMPANY_NAME>

      What is the name of your City or Locality?

      [Unknown]: <CITY>

      What is the name of your State or Province?

      [Unknown]: <STATE_IF_APPLIES>

      What is the two-letter country code for this unit?

      [Unknown]: <COUNTRY_CODE>

      Is CN=<HOSTNAME>... correct?

      [no]: yes

      Enter key password for <tomcat>

      (RETURN if same as keystore password):

      Re-enter new password:

  4. You will get a warning. Run the following command to export the keystore to PKCS #12 format.

    This command creates a second keystore in PKCS #12 format, named .keystore2, which we will use in the remaining examples.

    • Windows:
      keytool -importkeystore -srckeystore C:\Users\Administrator\.keystore -destkeystore C:\Users\Administrator\.keystore2 -deststoretype pkcs12
    • Linux:
      keytool -importkeystore -srckeystore ~/.keystore -destkeystore ~/.keystore2 -deststoretype pkcs12

Generate a CSR and request a certificate

Use the command below to generate a certificate signing request (CSR), which is a file that you can send to a CA to request a signed certificate. In this example, the file is named <HOSTNAME>.csr:

  • Windows:
    keytool -keystore C:\Users\Administrator\.keystore2 -certreq -alias tomcat -keyalg rsa -file <HOSTNAME>.csr
  • Linux:
    keytool -keystore ~/.keystore2 -certreq -alias tomcat -keyalg rsa -file <HOSTNAME>.csr

Next, request a signed certificate from the CA of your choice, using the CSR file. When you receive the signed certificate from the CA, you can continue on to Import the signed certificate into the keystore.

Import the signed certificate into the keystore

Once you have obtained the signed certificate from the CA, import the certificate reply into the keystore.

Certificates are issued in a chain of trust, starting with a root CA and then one or more intermediate CAs, before getting to your actual signed certificate. You must import all of the CA certificates in the correct order. If you aren't sure what you need to import, please check with the CA that issued your signed certificate.

The examples below assume that the certificates are in .crt format.

  1. Use the following command to import the root CA into the keystore. (Skip this step if your signed certificate was signed with a root CA that is already located in the keystore.)
    • Windows:
      keytool -import -keystore c:\Users\Administrator\.keystore2 -storepass <YOUR_PASSWORD> -alias rootCA -file c:\Users\Administrator\<RootCA>.crt
    • Linux:
      keytool -import -keystore ~/.keystore2 -storepass <YOUR_PASSWORD> -alias rootCA -file ~/<RootCA>.crt
  2. Your signed certificate may have been signed by one or more intermediate CAs. If all intermediate CAs are in the keystore, you can skip this step. Otherwise, use the following command to import each missing intermediate CA into the keystore.
    • Windows:
      keytool -import -keystore c:\Users\Administrator\.keystore2 -storepass <YOUR_PASSWORD> -trustcacerts -alias intermediateCA -file c:\Users\Administrator\<IntermediateCA>.crt
    • Linux:
      keytool -import -keystore ~/.keystore2 -storepass <YOUR_PASSWORD> -trustcacerts -alias intermediateCA -file ~/<IntermediateCA>.crt
  3. Finally, use the following command to import your signed certificate into the keystore.
    • Windows:
      keytool -import -keystore c:\Users\Administrator\.keystore2 -storepass <YOUR_PASSWORD> -trustcacerts -alias tomcat -file c:\Users\Administrator\<HOSTNAME>.crt
    • Linux:
      keytool -import -keystore ~/.keystore2 -storepass <YOUR_PASSWORD> -trustcacerts -alias tomcat -file ~/<HOSTNAME>.crt

    If the import was successful, you will see this message:

    Certificate reply was installed in keystore

Configure Deep Security to use the signed certificate store

The examples below assume that the new keystore is named .keystore2.

  1. Back up the (Windows) C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties or (Linux) /opt/dsm/configuration.properties file.
  2. Back up the old keystore file:
    • Windows:
      copy "C:\Program Files\Trend Micro\Deep Security Manager\.keystore" "C:\Program Files\Trend Micro\Deep Security Manager\.keystore.bak"
    • Linux:
      cp /opt/dsm/.keystore /opt/dsm/.keystore.bak
  3. Replace the old keystore file with the new file:
    • Windows:
      copy "c:\Users\Administrator\.keystore2" "C:\Program Files\Trend Micro\Deep Security Manager\.keystore"
    • Linux:
      cp ~/.keystore2 /opt/dsm/.keystore

    You must replace the default keystore file. If you choose to change the path in the configuration file instead, the configuration file will reset to the default location the next time you upgrade Deep Security Manager, which will undo the change.

  4. Update the keystore password in (Windows) C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties or (Linux) /opt/dsm/configuration.properties as follows:

    ...<OTHER_SETTINGS>

    keystorePass=<YOUR_PASSWORD>

  5. Restart the Deep Security Manager service.