Views:
By default, TMWS acts as a private Certificate Authority (CA) and uses a default root CA certificate that is sent to client browsers to complete a secure session for HTTPS connection. However, because the default CA certificate is not signed by a trusted CA on the Internet, the client browsers will display a certificate warning each time users access an HTTPS website. Although users can safely ignore the certificate warning, Trend Micro recommends using a cross-signed CA certificate if you have your own certificate.
TMWS allows administrators to cross-sign your organization's own CA certificate with the Certificate Signing Request (CSR) file provided by Trend Micro, and upload the cross-signed certificate on the TMWS management console. Cross-signing the CA certificate establishes a trusted relationship between the TMWS CA certificate and your organization's own CA certificate.
This section describes how to cross-sign your CA certificate with the CSR file for use by the cloud proxy.

Procedure

  1. Check the following:
    • Your organization's CA certificate and the corresponding CA private key and its passphrase are already available.
    • The Path Length Constraint in your organization's CA certificate is set to None, so that there is no restriction on the CA certificates down in the hierarchy.
    • The administrator has a basic knowledge of openssl commands.
  2. Create a folder named CrossSignTMWSCA_cloud.
    Note
    Note
    The names of the folders and files created in this section are user customizable.
  3. Go to the newly created folder.
  4. Create a subfolder named newcerts.
  5. Create an empty file named certindex.
  6. Create a file, copy and paste the following text, and then save it as serialfile:
    000a
  7. Create a file, copy and paste the following text into the file, and then save it as tmws_ca.csr:
    -----BEGIN CERTIFICATE REQUEST-----
MIIEwjCCAqoCAQAwfTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQH
DAJDVTEUMBIGA1UECgwLVHJlbmQgTWljcm8xDTALBgNVBAsMBFRNV1MxLzAtBgNV
BAMMJlRyZW5kIE1pY3JvIFdlYiBTZWN1cml0eSBDbG91ZCBSb290IENBMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuHcSU43KYws7UxoyfH8RcnaO0cr/
HETn3npjrKxWy3+L8/RSPg/KjUgZhVIqcYgef40rsNoNrM67UwdRxlDpr7qKT47P
ZFaIwMCpfqPFHYvnz7JlcomfeY576ksnMZ87X7ThK3ZqXAuuTUHeDUXep9QAWmPM
Jwq15xGfPf28AR8jEfF8V0xbFHbyMYQyKpzbPDUGAgiLgKGiDsYkEpi65FfOGNKH
jauQ+s1BlO/j9MLtp2Jf9me27iSyluD+ATo93a7Z3vlHBIyazENhPG7yJa971DBy
8FUhKWrrn1Nv2VBCT+4bVpKAvoIqhbFFytBcTRfq0dRMPmiB9ug2BjxDry5Uucko
8jMT2aN96M+Jm5Rlaq9W/ci7jkVgwDAAPtGDum8Eyxt38CRkmfFcMpXMOnPBdaDc
vTXwIU+TSd2g8nJqHlD19Ijb1QuoRzA+45ByparF5/1QvPhd9nHKBUN+foNZJXBX
dKBPtycjjL+8zeS3KXA2qo5gn2B6BOsG67O4/4uAEqEB7WsLpdCaKk4zrA5fiNyB
arRsXY6ueuEnwkupxyswldzihj2/HNZtdk1pZQo9PIUe4PmuSoBJxvQwyBJ+AI9h
OJ6UpTsS/UX9ei0z87ZBiLKPh4zUjZtPzI4UQErv3QigG/v+fnMmhEAOY0lTQfpq
WoBsADZyLwzpZh0CAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4ICAQCM/LyutXY4wDst
LAO2W/xJIkG6+gT5Y++Yql7xoCuHvpr4sNGOuT3tY1XAiWLu86fQTLO5m70MzVYq
14fcAYhRzzv1WJNbzAxzSzagV5J01l9LsfRA8z1gBvFUfN4PmGoUfkx2pAFFPDt2
BOyZX/3TcZ8V/icRrhK36CZq8jMr2YMsA7zG3OVOLtYFZBa0JICcp9SWCc/6M4DG
Rn2uNKMA69qq+xI1OkfcYxcxNf/Wlhwh7OEUVVyaeSglo/QFnq0TTmxxkWEpIsd8
B5TB9vUAS+al7jkKtpSVYR9Z2i6lPhN8AZrNkBsqI1MNtq5+CPo2+WPH9gTwuC+J
5Wu6UtrIUEatYuWUSGHNcDO6tmoxyLmE4g/AeyFERS5s6zUO7WRXJ5inYzr3JZAM
1B3sJo957ue7PofHw5bIZKqc46uUaVJJD+G19MuAR1QOSfvqvXDVUsYliy5h6P+e
p5JICIe/5j8xyb273s7GVEbpMz2ZvvNaZDwCcMWL1S7zohw4wH7jzml0X2kr0oYs
vpcNfoug/4IKj8Y2PVMYJwJadXOGFZGo+L7YOI5Cb4+4pzhH8+TetXSzEEMkozW9
4j7W64EfOZwaBv1XLqOwS3UoHTtB1ewsYoC2cyrJ6ypTqyPrGtbFnFYy2zmruLjA
AFd65jMhNeeACg8sqfsfFOSmSluQ1A==
-----END CERTIFICATE REQUEST-----
  8. Create a file, copy and paste the following text into the file, and then save it as a configuration file named myca.conf:
    [ca]
default_ca = rootca

[crl_ext]
#issuerAltName=issuer:copy  #this would copy the issuer name to altname
authorityKeyIdentifier=keyid:always

[rootca]
new_certs_dir = newcerts
unique_subject = no
certificate = root.cer  #Your organization's CA certificate
database = certindex
private_key = root.key  #Your organization's CA private key
serial = serialfile
default_days = 3660     #Should be at least two years from the date of cross-signing
default_md = sha256     #sha256 is required.
policy = myca_policy
x509_extensions = myca_extensions

[ myca_policy ]
countryName = supplied
stateOrProvinceName = supplied
localityName = supplied
organizationName = supplied
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[ myca_extensions ]     #These extensions are required.
basicConstraints = CA:true
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
keyUsage = keyCertSign, cRLSign
  9. Run the following command to cross-sign your organization's CA certificate using the CSR file:
    openssl ca -batch -config myca.conf -notext -days 7320 -in tmws_ca.csr -out tmws_ca.cer
    A cross-signed certificate named 0A.pem is generated under folder newcerts.
  10. Go to HTTPS INSPECTIONDecryption Rules and upload the certificate in the Cross-signed certificate for cloud part of the Certificate section of a decryption rule as necessary.