sortti21, 831 AM How to Greate and instal a New Server Certificate fr the Forcepoit Management Inrastructure Home /S/) Knowledge & Documentation (/S/Knowledge-Base) Community (/S/Group/CollaborationGroup/OOB20000006KZ7aEAE) Use How to Creste and Insta a New Server Certifcste forthe Forcepoint Management Infrastructure tad ace apy orescence © p38 308 vane Te How to Greate and installa New Server Gertneate forthe Forcepoint Management ntrastructure Atticle Number (000024536 ‘summary ‘Stops provided to utile ard party signed cortfeate. Notes & Wernings ‘The folowing information describes editing the registry. efor proceeging. backup the registry, and be sure you understand how te rtore the realstry if problem occurs. Reter to the Microsoft Knowledge Base article Windows Registry information fo (retpssupport microsoft comen-us/help/256986 uindows-registy-intormation-or-sdvanced-users) for more inarmation, sdvanced users Forcepoint provides information on how to eit the Windows regitry asa convenience toutes, but does net support Windows in any way and ill net be responsible for any preblems that may arise fam eating, Important Using Registry Felitorincoreetly may cause serous problems that could require yout reinstall he operating system. Foreepeint and Microsoft do not guarantee that you can solve problems that su frm using the Registry Editor incorrect, Use Registry Edt at your own ek Iryounave your own ce in (PKCSI2) p12 format you can try extracting the.er and key fle fom itith the OpenSSL took 1 openssl pkesi2-in cer.pt2-out serverert -nedes -eleerts-nokeys + openssl pkest2-in eertpI2-out eneryptedserverkey nodes -nocerts Problem want to ereate a new Fercepoint Security Manager certneate, signed by either an internalar extemal certiteate authority. Hewdo | use ‘OpensSt in Windows 1 accompleh this? Resolution ‘The Anache HTTPD server host the EIP Infrastructure cet cate cisplayed in the Fercepoint Security Manager formerly known as the TRITON Manager. tyouwant to change this cetieate, you must ereate and installa new certificate forthe Forcepoin Security Manager (FSM) Note Prior to performing thie process, please encure that a proper Forcepoin Infrastructure backup (retpturzwebsense.com/content/suppertioray/shared/v85jbackup faa. trton_setings aspx) has been taken to easily restore omit Prey re the Environment 1. On the Forcepoint Management Server, open \Websense\EIPInfra\apache|conf| in Windows Explorer 2.Make a backup copy of epenssl-ent to an exterallocation, 3. Open epensslent ina tex editor. 4 inthe [req] section. the foloning newline: rea.extensions = v3-req 5 inthe [v3.req] section, add the folowing newline: subjectatName = @all names 6.At the end ofthe le. add the following lines, inclusing the proper information for your network trams] DNS = hitps1supportforcepoint. comislartcle/How-te-create-and:instal-a-new-server-certiicate-inlo-TRITON-EIP infrastructure 16sortti21, 831 AM How to Greate and instal a New Server Certificate fr the Forcepoit Management Inrastructure DNS2- DNS ~

IP =<1P ADDRESS> For Example Ensure that the “IP Infra" installed serveris added othe domain Comte ame dain an oro ting Futcemparrane [iene Foon DNS! = femtsab local ons. ons. Pa = xxx Note FGDN and FSM are entered according to the "eornputer namo" andTulleomputer name" of the server where “EP Infra i installe, 1. (Optional) Ads addtional ONS x or IPxvalues as needed to cover al the possisle ONS, hostnames, and IPs used by the Forcepoint Manager. Depending on the signing authority, some files may not be necessary or vale, so please confirm with that authority beforehand, nese additions to openssL.en wil specify the Subject Alternative Names (SAN) variations to inelide in the certieate reque 8. Open an administrative Command Prompt and navigate tothe \Websense\EIP Infralapeche\cont\websenselssl directory. Set the ‘openssl executable fo use the EIPInra's configuration fle by means of ereating en environmental variable for OPENSSL, CONF. Note The openssl executable provided in the apachelbin flderisnet actualy installed tothe operating system It defaults to Jusrlocaisl (which does net exist in Windows) forts opensslent path the ervronmentalvarable inet set Use the fllowing Command Prompt command t set an OS environment variable for OPENSSL. CONF pointing othe ‘Apache openssLent sl: ‘set OPENSSL_CONF "© \Program Fils (x86)\Websense\EIP Inralapachelcon‘\opensslen”/M Note The path to openssLent wilder the Management lnrastucture has been installed toa diferent lacation than the detaut. Update ‘this path as necessary ‘This €an also be done trom the Control Panel under System > Environmental Variables. ‘Confirm that the fllowing command retums the coreet lection ‘echo XOPENSSI_CONF Greate a Certificate Signing Request Note The folowing commands assume that the Command Promat has navigated tothe "Websense\EIPntalapache\confiwebsense\ss folder, 9. Generate the key and seis passphrase (make note forthe following steps \L\.ein|openssloxe gonrsa~des3 -out HTTPD-SERVER KEY 2048 hitps1supportforcepoint. comislartcle/How-te-create-and:instal-a-new-server-certiicate-inlo-TRITON-EIP infrastructure 218sortti21, 831 AM How to Greate and instal a New Server Certificate forthe Forcepoint Management Intrastructure ‘This ill eveate HTTPO-SERVER KEY within the SSL folder, 10, Generate the Cerieate Request with the passphrase set the previous step: |.binlopenssl.exe req -new-out HTTPD-SERVER.CSR -key HTTPO-SERVER Key oR [Add -shaSi2 or higher for stronger signature algorthm |.lin|openssl.exe req -shaSt2 -new out HTTPD-SERVER.CSR -key HTTPD-SERVER Key ‘Complete the various prompts that appear. The will reate HTTPD-SERVER.CSR under the SSL. directory 1, Verity Subject Alternative Names ae present in the request \.\binlopenssLexe req text -noout in HTTPD-SERVER.CSR 412 Sign the CSR using ONE of the two methods below tng Certiteate Atha o&: 1 Send the CSR to the Signing Certcate Authority (CA, preferably via aweb interface. The Web Interface can output the ceticate a6 a PEM/Base-t4 certificate, DER certificates are incompatible with Apache HTTPD services. 1 you cannot ure a web interface, conver the certificate from DER to PEM/Ba¢e-64 by using OpenSSL. See The Most Common OpenSSL. ‘Commands {ntps:/wawsslshopper comyarticle-mest-commen-openssl-commands html) and sral to Converting Using OpenSSL. 1 H you are using hia party cerifeate vendors use “Apache Web Server” as the target serverin order to get the correct certificate type, Ir signing the CSR using the oeal CA, run one ofthe flloing commands: Notes: The frst command syntaxwillinclide ‘Subject Alternate Names" information within the sell signed certifeate, The second ‘command syntax il exclude the ‘Subject Alternate Names" information, The'-days parameter wil st the length of ime for which the Certtieate willbe vain these examples 1825 days (5 year) 12. Create an un-enerypted key, which you willthen install slong with the certieate, From the "Websense\EIP Inttalapache\connwebsonse\ss folder, un the flowing commana \.LAbin\opensslexe rain HTTPD-SERVER.KEY -out SERVERKEYUNSECURE Provide the pass phrase set n Step 9. This willoutput SERVER KEY.UNSECURE inthe SSI. directory. Note Its recommended to rename the original encrypted key to something else and the new un-enerypted key (SERVER KEYUNSECURE) to HTTPD-SERVER KEY. In the below steps, HTTPD-SERVER.KEY wil ter othe unencrypted ke. Installing the Signed Certificate and Key [Woh the corcteate generated by the signing CA and the certiicate key, they ean nowbe used by the Farcepoint Management Intastructure 14. Stop and Disable the "Websense TRITON Web Server sevice. 15, Backup the existing HTTPD-SERVER.CER ang HTTPD-SERVER.KEY files from”\Wentense\EIPInralapache|conflkeystorehitpa 16,Move the signed certiieate and HTTPD-SERVEREY he generate earls tothe “Websense\EPInralapache\eonfkeystore\ntpd’ ‘directory, Ensure thatthe signed cerlifeate le named HTTPD-SERVER.CER” and the keys named HITPD-SERVERKEY" (the casei insensitive), 17, Create a backup ofthe following tegity locaton: HKEY, LOCAL, MACHINE\SOFTWARE\Won6432Node\WebsencelElP Inia hitps1supportforcepoint. comislartcle/How-te-create-and:instal-a-new-server-certiicate-inlo-TRITON-EIP infrastructure aissortti21, 831 AM How to Greate and instal a New Server Certificate fr the Forcepoit Management Inrastructure 18, Open a Command Prompt and navigate tothe \Websense\EIP Iniralapachelconfkeystoreihttp rectory. 19. Type the following command (inform can be set to PEM or DER depending onthe format ofthe key you are converting): |.binlopensslexe pkes8-topke -out httpd-serverkey.pk8-n htpd-serverkey v1 PBE-SHAT-ADES -intorm PEM ‘This converts your KEY int the necessary PKCSS format 20, Provide the password forthe key and press Enter. 21. Very hat the new key lee created (httpd-server.key.pke) 22. From the Command Promat navigate to\Websense\EIPIntalapachelbin and execute the allowing commane: bis exe encrypt [PASSWORD] set Replace [PASSWORD] witn the desired password youwish to set forthe key. Note BLS exe encodes the password setin the KEY hile within the Windows registry se Apache can read it without it beng in plaintext. ‘Should you need te revert toa previous eerteate witha diferent key password thats unknown. estore the FIP intastructure trom a backup in dere do sa 23. Check that the encoded password string ereated in Step 22 using bs.ex isthe same asthe password string saved inthe registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra|APASSPHRASE.I the password stings do net match, Update the value in the APASSPHRASE registry key tobe the sting rom Step 22. Ina such key exists, ereate @ DWORD type key and enter the password string trom Step 22 asthe value 24, Confirm that htt Infrapache\conf\keystorethttd directory ver key. pk are present within the \WebseneelEIP Important Comment out the ine containing trom httpd-ssLcont within Note Ifthe TRITON Web Sever service won't start and errorlog says "SSLPassPhraseDialog builtin isnot supported on Win32% check niled-tsLcont to make sure the SSLPassPhraseDialogline is net commented out. 26, Test and confirm ‘he wob interface is able to load ands using the new certifeat. If errors ae encount they were performed propery. the process again, 1d, review the steps to ensure rod, restore rom a backup of Forcepoint Management Infrastructure to perform For more information, poate refer to the following video kb: Video: How to Create and Installs New Server Certifeate for the Forcepoint Management infrastructure (nttps://suppertercepoint.com/s/article/Vid te-and-Install-a-Now-Server-Certificate-forthe-Fores ManagementsIntrastructure) Howeto-C eyworde:TRITONE!P infrastructure; New server certieate; Certifoate Authorty; Secure connection; Apache HTTPD server ‘Opensst Websense TRITON Web Server service: upgrade certificate rd Paty Signea Custom Cerifeate:forcepoint security manager, how to install certificate; hia party certcate; sl cr: web server certificate: ep certifeate: install URL Name: outo-cteate-and-instl-a-new-server-certiteate-into-TRITON-EIP-nfastructure see sntora aoe Files (0) (/s/telatedst/kaz21G00000012TNGAO/AttachedCententDecuments) hitps1supportforcepoint. comislartcle/How-te-create-and:instal-a-new-server-certiicate-inlo-TRITON-EIP infrastructure aissortti21, 831 AM How to Greate and instal a New Server Certificate fr the Forcepoit Management Inrastructure Contact Us (htpsifimwwutorcepoint com/company/contact~us) Free Trials & Demos {https forcepeint.com/tree-trals-demos) Careers (ntipsiwwercepoint com/eompanyjeareers) Case Studies (https;fwwtorcepoint.comjresources/case-studies) in (https://www linkedin.com/company/forcepoint?trk=fe_badge) (https:/wwwfacebook.com/ForcepointLLC) w (https:/twitter.com/forcepointsec) @ [https:/wwwyoutube.com/channel/UCAMbGECdktywewRIAFWT._-w) 3 (http://blogs.forcepoint.com) Legelintormtion (ttpimonaorcepointcomniebste-temt-and-conattions) Privacy Polley (httpswmtoreepointcom/orvacy-paey) £2021 Foreepoint LC. All Rghts Reserved hitps1supportforcepoint. comislartcle/How-te-create-and:instal-a-new-server-certiicate-inlo-TRITON-EIP infrastructure 5