- Take a snapshot of the Deep Security manager VM and name it “Pre-SSL” or something similar.
- RDP into the Deep Security Manager VM. Open an elevated command prompt (Start > CMD > right-click and select Run as Administrator).
- Create a folder called c:\certs.
- Stop the Deep Security Manager service using the command: net stop “Trend Micro Deep Security Manager” and check to make sure that the service has stopped. It can take a full minute or more to stop.
- Change to the Deep Security Manager directory. The default is c:\Program Files\Trend Micro\Deep Security Manager.
- Determine the Java keystore password by issuing the command: installfiles\genkey.bat. The keystore password is the string immediately following the ‘-storepass’ parameter. Its format will be something like this: bEwzWtCe.
- In the following steps, replace “bEwzWtCe” with the password you captured in step 6.
- Issue the command: keytool -delete -storepass bEwzWtCe -alias tomcat -keystore .keystore
- Issue the command: keytool -genkey -storepass bEwzWtCe -alias tomcat -keyalg RSA -keystore .keystore
- In the dialog that follows, the first prompt is for your name. Don’t use your name—use the FQDN of the Deep Security Manager machine. For example: trend01.acme.local. Complete the other fields with the appropriate customer information. For OU, you can use “IT,” the customer’s full company name, or something else, if they have a preference.
- Issue the command: keytool -certreq -storepass bEwzWtCe -keyalg RSA -alias tomcat -file c:\certs\certreq.txt -keystore .keystore
- On a domain-joined machine, export the root certificate using the Certificates snap-in (for the Local Computer) in MMC. Export the cert using the default settings. Name it root.cer and copy it to the c:\certs directory on the Deep Security Manager machine.
- Issue the command: keytool -import -alias root -storepass bEwzWtCe -trustcacerts -file c:\certs\root.cer -keystore .keystore. When prompted, type “yes” to accept the certificate into the keystore.
- Generate the certificate for the Deep Security Manager, either using the customer’s Windows domain CA (preferred), or a trusted certificate authority. Use a web server template.
- Download the certificate chain (not just the cert) in DER (p7b) format. Save the file as dsmcertnew.p7b. Copy it to the c:\certs directory on the Deep Security Manager machine.
- Issue the command: keytool -import -alias tomcat -storepass bEwzWtCe -file c:\certs\dsmcertnew.p7b -keystore .keystore. When prompted, type “yes” to accept the certificate into the keystore.
- Start the Deep Security Manager service using the command: net start “Trend Micro Deep Security Manager”
- Check to make sure the service has started.
- Log into Deep Security Manager and verify that the signed certificate is in use. Use the FQDN of the Deep Security Manager when connecting to it with a browser. You shouldn’t receive a certificate error, and if you check the certificate chain (use the lock icon in the browser bar to get to it), you should see the certificate chain with the correct CA and the FQDN of the DSM.
- If all goes well, delete the snapshot you took in step 1. If not, revert to the snapshot and come back to it another time.
Blogs I Follow
mpking on Trend Micro Deep Security Mana… MC on Trend Micro Deep Security Mana… hermando on Trend Micro Deep Security Mana… virtualrush on Trend Micro Deep Security Mana… hermando on Trend Micro Deep Security Mana…
Error: Twitter did not respond. Please wait a few minutes and refresh this page.