Replace the Deep Security Manager SSL certificate

Applies to on-premise Deep Security software installations only

The Deep Security Manager creates a 10-year self-signed certificate for the connections with Agents / Appliances, Relays, and Users' web browsers. However, for added security, this certificate can be replaced with a certificate from a trusted certificate authority (CA). (Such certificates are maintained after a Deep Security Manager upgrade.)

Once generated, the CA certificate must be imported into the .keystore in the root of the Deep Security Manager installation directory and have an alias of "tomcat". The Deep Security Manager will then use that certificate.

Replace the SSL certificate in a Windows environment

This procedure describes how to import a .cer file but you can use the same procedure to import a .crt file.

  1. Log in as an administrator to the computer where Deep Security Manager is installed.
  2. Open a command prompt and go to the directory where Deep Security Manager is installed. The default is C:\Program Files\Trend Micro\Deep Security Manager.
  3. Create a new folder named Backupkeystore that you will use for backup purposes:

    mkdir Backupkeystore

  4. Copy the .keystore and configuration.properties files to the Backupkeystore folder that you created in the previous step:

    copy .keystore Backupkeystore

    copy configuration.properties Backupkeystore

  5. Change to the \jre\bin directory:

    cd jre\bin

  6. Use the following commands to create a new keystore:

    keytool -genkey -keyalg RSA -alias tomcat -dname cn=<Deep Security Manager server host name or FQDN> -storepass changeit

    When you see "(RETURN if same as keystore password):", press Enter. Your store password will be set to "changeit". Remember this password because other steps will require it. For details about keytool.exe, see http://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html.

  7. Check that the .keystore file was created under %userprofile%.

    dir %userprofile%

  8. Use the following command to view the newly generated certificate:

    keytool -list -v -storepass changeit

  9. Use the following command to create a certificate signing request (CSR) for your CA to sign:

    keytool -certreq -keyalg RSA -alias tomcat -file certrequest.csr -storepass changeit

  10. Import certificates to the corresponding keystore:
    1. Send the .csr file to your CA for signing. In return, if it’s self-signed CA, you need to receive at least a root certificate and a server certificate for Deep Security Manager. Otherwise, you just need the signed server certificate. You may also receive one or more intermediate certificates.
    2. Copy the certificates to C:\Program Files\Trend Micro\Deep Security Manager\jre\bin.
    3. Import the root certificate if you have one:

      keytool -import -alias root -trustcacerts -file root.cer -keystore ..\lib\security\cacerts -storepass changeit

      keytool -import -alias root -trustcacerts -file root.cer -storepass changeit

    4. If you have intermediate certificates. Import one by one based on the order provided by your CA.

      keytool -import -alias intermd -trustcacerts -file intermd.cer -keystore ..\lib\security\cacerts -storepass changeit

      keytool -import -alias intermd -trustcacerts -file intermd.cer -storepass changeit

      In this case, we are setting alias for intermd.cer to “intermd”. Each intermediate certificate needs a unique alias name. You can assign any unique name for the aliases, for example, intermd1, intermd2, and so on.

    5. Import the server certificate:

      keytool -import -alias tomcat -trustcacerts -file dsm.cer -keystore ..\lib\security\cacerts -storepass changeit

      keytool -import -alias tomcat -trustcacerts -file dsm.cer -storepass changeit

      When you see "Trust this certificate? [no]:", enter "yes".

  11. Copy the %userprofile%\.keystore file to C:\Program Files\Trend Micro\Deep Security Manager:

    move /Y %userprofile%\.keystore ..\..\

  12. Update your password to the value of “keystorePass” in C:\Program Files\Trend Micro\Deep Security Manager\configuration.properties, for example:

    keystoreFile=C\:\\\\Program Files\\\\Trend Micro\\\\Deep Security Manager\\\\.keystore port=4119

    keystorePass=changeit

    installed=true

    serviceName= Trend Micro Deep Security Manager

  13. Restart the Deep Security Manager service.

  14. Open the Deep Security Manager console with https://< Deep Security Manager server host name or FQDN>:4119 and make sure there is no certificate error message. The <Deep Security Manager server host name or FQDN> should be the one used in step 6.

Replace the SSL certificate in a Linux environment

To import an SSL certificate into Deep Security Manager, you will need to do the following on the server that the Deep Security Manager is installed on:

  1. Add your intermediate and root CA certificates to a new keystore
  2. Convert your signed certificate and private key into PKCS12 format
  3. Import your signed certificate and private key into the new keystore
  4. Update Deep Security Manager with the new keystore

You will be working with the following 4 files:

File name Description
RootCA.crt The root CA certificate of the signer.
IntermediateCA.crt The intermediate CA certificate of the signer.
ssl-priv.key The private key used to generate the SSL certificate signing request.
FQDN.crt The signed SSL certificate of your domain.

Add your intermediate and root CA certificates to a new keystore

The procedure for adding certificates will differ depending on whether your root CA certificate already exists in the JAVA built-in CA keystore.

If your root certificate is not in the JAVA built-in CA keystore:

  1. Import your root CA certificate into a new keystore:

    keytool -import -alias RootCA -trustcacerts -file RootCA.crt -keystore new_keystore

  2. When prompted, create a password for the keystore.
  3. Import your intermediate CA certificate into the new keystore:

    keytool -import -alias intermediate -trustcacerts -file IntermediateCA.crt -keystore new_keystore

If your root certificate is already in the JAVA built-in CA keystore:

  1. Import your intermediate CA certificate into a new keystore:

    keytool -import -alias intermediate -trustcacerts -file IntermediateCA.crt -keystore new_keystore

  2. When prompted, create a password for the keystore.

Convert your signed certificate and private key into PKCS12 format

  • Using openssl, convert your signed certificate and private key into PKCS12 format:

    openssl pkcs12 -export -in FQDN.crt -inkey ssl-priv.key -certfile FQDN.crt -out FQDN.p12 -name tomcat

Import your signed certificate and private key into the new keystore

  1. Import the FQDN.p12 into the new keystore:

    keytool -importkeystore -srckeystore FQDN.p12 -srcstoretype pkcs12 -destkeystore mynew_keystore -destalias tomcat -alias tomcat

  2. In the new keystore, verify that the tomcat entry type is PrivateKeyEntry, and that the intermediate CA entry type is trustedCertEntry:

    keytool -list new_keystore

    verify keystore command line

Update Deep Security Manager with the new keystore

By default .keystore and configuration.properties files are located in the /opt/dsm folder of your Deep Security installation.

  1. Create the directory dsm_keystore_bak and backup the original Deep Security Manager .keystore and configuration.properties files to it:

    mkdir dsm_keystore_bak

    cp /opt/dsm/.keystore /opt/dsm.configuration.properties dsm_keystore_bak

  2. Replace the Deep Security Manager .keystore file with the new keystore file and update keystorePass in configuration.properties file:

    cp new_keystore /opt/dsm/.keystore

    vim configuration.properties

    keystorekeystorePass=XXXX {replace XXXX with the keystore password you created}

    Only the default keystore file (/opt/dsm/.keystore) is kept when you upgrade Deep Security Manager. We recommend that you replace the existing keystore file.

  3. Restart the Deep Security Manager service.