How to Create and Install a New Server Certificate for the Forcepoint Management Infrastructure

How to Create and Install a New Server Certificate for the Forcepoint Management Infrastructure

Summary
Steps provided to utilize a 3rd party signed certificate.
Notes and Warnings
The following information describes editing the registry. Before proceeding, backup the registry, and be sure you understand how to restore the registry if a problem occurs. Refer to the Microsoft Knowledge Base article Windows Registry information for advanced users for more information.

Forcepoint provides information on how to edit the Windows registry as a convenience to users, but does not support Windows in any way and will not be responsible for any problems that may arise from editing.

Important Using Registry Editor incorrectly may cause serious problems that could require you to reinstall the operating system. Forcepoint and Microsoft do not guarantee that you can solve problems that result from using the Registry Editor incorrectly. Use Registry Editor at your own risk.

If you have your own cert in (PKCS12) .p12 format, you can try extracting the .crt and .key files from it with the OpenSSL tool:
  • openssl pkcs12 -in cert.p12 -out server.crt -nodes -clcerts -nokeys
  • openssl pkcs12 -in cert.p12 -out encryptedserver.key -nodes -nocerts

For a dedicated article about using already-signed PFX certificates, see Converting and Installing a Corporate CA Signed PFX Server Certificate for the Forcepoint Management Infrastructure (EIP).
Problem
I want to create a new Forcepoint Security Manager certificate, signed by either an internal or external certificate authority. How do I use OpenSSL in Windows to accomplish this?
 
Solution
Note To use a tool which automates the certificate generation or application process, see Using FSMCertificateImport to Customize Forcepoint Management Infrastructure (EIP) Server Certificates.

The Apache HTTPD server hosts the EIP Infrastructure certificate displayed in the Forcepoint Security Manager (formerly known as the TRITON Manager). If you want to change this certificate, you must create and install a new certificate for the Forcepoint Security Manager (FSM). The Forcepoint Security Appliance Manager (FSAM) will use this new certificate also because it runs on top of the Forcepoint Security Manager. 

Note Prior to performing this process, please ensure that a proper Forcepoint Infrastructure Backup has been taken in order to easily restore if issues arise.

Prepare the Environment

  1. On the Forcepoint Management Server, open \Websense\EIP Infra\apache\conf\ in Windows Explorer
  1. Make a backup copy of openssl.cnf to an external location.
  1. Open openssl.cnf in a text editor.
  1. In the [ req ] section, add the following new line::
req_extensions = v3_req
  1. In the [ v3_req ] section, add the following new line:
subjectAltName = @alt_names
  1. At the end of the file, add the following lines, including the proper information for your network:
[alt_names]
DNS.1 = <FQDN>
DNS.2 = <HOSTNAME>
DNS.3 = <IP ADDRESS>
IP.1 = <IP ADDRESS>

For Example:
Ensure that the "EIP Infra" installed server is added to the domain: 
FQDN and hostname
DNS.1 = fsm.tslab.local
DNS.2 = fsm
DNS.3 = x.x.x.x
IP.1 = x.x.x.x

Note FQDN and FSM are entered according to the "computer name" and "full computer name" of the server where "EIP Infra" is installed.
 
  1. (Optional) Add additional DNS.x or IP.x values as needed to cover all the possible DNS, hostnames, and IPs used by the Forcepoint Manager. Depending on the signing authority, some fields may not be necessary or valid, so please confirm with that authority beforehand. These additions to openssl.cnf will specify the Subject Alternative Names (SAN) variations to include in the certificate request.
  1. Open an administrative Command Prompt and navigate to the \Websense\EIP Infra\apache\conf\websense\ssl directory. Set the openssl executable to use the EIP Infra's configuration file by means of creating an environmental variable for OPENSSL_CONF.
Note The openssl executable provided in the apache\bin folder is not actually installed to the operating system. It defaults to /usr/local/ssl/ (which does not exist in Windows) for its openssl.cnf path if the environmental variable is not set.

Use the following Command Prompt command to set an OS environment variable for OPENSSL_CONF pointing to the Apache openssl.cnf file:
setx OPENSSL_CONF "C:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf" /M
Note The path to openssl.cnf will differ if the Management Infrastructure has been installed to a different location than the default. Update this path as necessary.

Untitled.png
This can also be done from the Control Panel under System > Environmental Variables.

Important Restart Command prompt before using echo, Environmental Variables do not take affect until it is restarted

Confirm that the following command returns the correct location:
echo %OPENSSL_CONF%
 

Create a Certificate Signing Request

Note The following commands assume that the Command Prompt has navigated to the "\Websense\EIP Infra\apache\conf\websense\ssl" folder.
 
  1. Generate the key and set its passphrase (make note of it for the following steps):
..\..\..\bin\openssl.exe genrsa -des3 -out HTTPD-SERVER.KEY 2048
     
      sample
This will create HTTPD-SERVER.KEY within the SSL folder.
  1. Generate the Certificate Request with the passphrase set in the previous step:
..\..\..\bin\openssl.exe req -new -out  HTTPD-SERVER.CSR -key HTTPD-SERVER.key
OR
Add -sha512 or higher for stronger signature algorithm:
..\..\..\bin\openssl.exe req -sha512 -new -out  HTTPD-SERVER.CSR -key HTTPD-SERVER.key

Complete the various prompts that appear. This will create HTTPD-SERVER.CSR under the SSL directory.
  1. Verify Subject Alternative Names are present in the request:
..\..\..\bin\openssl.exe req -text -noout -in HTTPD-SERVER.CSR
 
  1. Sign the CSR using ONE of the two methods below:
 

Using a Certificate Authority CA:

  • Send the CSR to the Signing Certificate Authority (CA), preferably via a web interface. The Web Interface can output the certificate as a PEM/Base-64 certificate. DER certificates are incompatible with Apache HTTPD services.
  • If you cannot use a web interface, convert the certificate from DER to PEM/Base-64 by using OpenSSL. See The Most Common OpenSSL Commands and scroll to Converting Using OpenSSL.
  • If you are using third party certificate vendors, use "Apache Web Server" as the target server in order to get the correct certificate type.
 

Using a Local CA:

If signing the CSR using the local CA, run one of the following commands:
 
Note The '-days' parameter will set the length of time for which the certificate will be valid, which in these examples is 1825 days (5 years).

The first command syntax will include 'Subject Alternate Names' information within the self signed certificate:
  • ..\..\..\bin\openssl.exe x509 -req -days 1825 -extfile ..\..\openssl.cnf -extensions v3_req -in httpd-server.csr -signkey HTTPD-SERVER.KEY -out NEW-SERVER.CRT
The second command syntax will exclude the 'Subject Alternate Names' information:
  • ..\..\..\bin\openssl.exe x509 -req -days 1825 -in HTTPD-SERVER.CSR -signkey HTTPD-SERVER.KEY -out HTTPD-SERVER.CER

 

  1. Create an un-encrypted key, which you will then install along with the certificate. From the "\Websense\EIP Infra\apache\conf\websense\ssl" folder, run the following command:
..\..\..\bin\openssl.exe rsa -in HTTPD-SERVER.KEY -out SERVER.KEY.UNSECURE
Provide the pass phrase set in Step 9. This will output SERVER.KEY.UNSECURE in the SSL directory.

Note It is recommended to rename the original encrypted key to something else and the new un-encrypted key (SERVER.KEY.UNSECURE) to HTTPD-SERVER.KEY. In the below steps, HTTPD-SERVER.KEY will refer to the un-encrypted key.
 

Installing the Signed Certificate and Key

With the certificate generated by the signing CA and the certificate key, they can now be used by the Forcepoint Management Infrastructure.
 
  1. Stop and Disable the "Websense TRITON Web Server" service.
  1. Backup the existing HTTPD-SERVER.CER and HTTPD-SERVER.KEY files from"\Websense\EIP Infra\apache\conf\keystore\httpd".
  1. Move the signed certificate and HTTPD-SERVER.KEY file generated earlier to the "\Websense\EIP Infra\apache\conf\keystore\httpd" directory. Ensure that the signed certificate is named "HTTPD-SERVER.CER" and the key is named "HTTPD-SERVER.KEY" (the case is insensitive).
  1. Create a backup of the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra
  1. Open a Command Prompt and navigate to the \Websense\EIP Infra\apache\conf\keystore\httpd directory.
  1. Type the following command (-inform can be set to PEM or DER depending on the format of the key you are converting).
..\..\..\bin\openssl.exe pkcs8 -topk8 -out httpd-server.key.pk8 -in httpd-server.key -v1 PBE-SHA1-3DES -inform PEM
Note If the certificate doesn't have a passphrase, add '-nocrypt' to the command to skip the password prompt in step 20.
           This converts your .KEY into the necessary PKCS8 format
  1. Provide the password for the key and press Enter.
  1. Verify that the new key file is created (httpd-server.key.pk8).
  1. From the Command Prompt, navigate to \Websense\EIP Infra\apache\bin and execute the following command:
bls.exe encrypt [PASSWORD] set
Replace [PASSWORD] with the desired password you wish to set for the key. In general, a simple password without special characters is recommended, otherwise please refer to Supported Special Characters in Forcepoint DLP Environments.

Note BLS.exe encodes the password set in the .KEY file within the Windows registry so Apache can read it without it being in plain text. Should you need to revert to a previous certificate with a different key password that is unknown, restore the EIP infrastructure from a backup in order to do so.
 
  1. Check that the encoded password string created in Step 22 using bls.exe is the same as the password string saved in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Websense\EIP Infra\APASSPHRASE. If the password strings do not match, update the value in the APASSPHRASE registry key to be the string from Step 22.  If no such key exists, create a DWORD type key and enter the password string from Step 22 as the value.
  1. Confirm that httpd-server.cer, httpd-server.key, and httpd-server.key.pk8 are present within the \Websense\EIP Infra\apache\conf\keystore\httpd directory.
Important Comment out the line containing <SSLCertificateChainFile conf/keystore/httpd/httpd-ca.cer> from httpd-ssl.conf within the \Websense\EIP Infra\apache\conf\extra folder.
  1. Enable and Start the Websense TRITON Web Server service.
Note If the TRITON Web Sever service won’t start and error.log says "SSLPassPhraseDialog builtin is not supported on Win32", check httpd-ssl.conf to make sure the SSLPassPhraseDialog line is not commented out.
  1. Test and confirm if the web interface is able to load and is using the new certificate. If errors are encountered, review the steps to ensure they were performed properly. If severe issues are encountered, restore from a backup of Forcepoint Management Infrastructure to perform the process again.

For more information, please refer to the following Knowledgebase Video:
Video: How to Create and Install a New Server Certificate for the Forcepoint Management Infrastructure