Generating, importing, and exporting a new self-signed OpenSSL certificate for InterScan Messaging Security Suite (IMSS)

Support
Solution ID Last Updated
1035429 Date : 2014/03/20 Time:1:45 AM , (PST)


Product/Version Platform
InterScan Messaging Security Suite - 7.1 Windows, 7.5 Windows;
Windows - 2000 Advanced Server, 2000 Server, 2003 Enterprise Server, 2003 Standard Server Edition, 2008 Enterprise Server, 2008 Enterprise Server Edition 64-bit, 2008 Standard Server Edition, 2008 Standard Server Edition 64-bit

Problem Description

Create a new self-signed OpenSSL certificate via administration console.
By default, the IMSS SMTP Service already has a certificate installed and is ready for inbound Transport Layer Security (TLS) connections.

Solution

[ Expand All ]

 

Generating a certificate

The SMTP Service requires both the IMSS Server Private Key and Certificate (Public Key) to be stored in unencrypted form, in a single PEM-format file.
To generate a certificate:
  1. Run the following command:
    openssl.exe req -new -x509 -days-nodes -config-out-keyout
    Where:
    req Creates and processes certificate requests in PKCS#10 format
    -new Prompts for user information specified in the OpenSSL configuration file, such as: Country, State, Organization and Common Name
    -x509 Creates a self-signed certificate rather than a certificate request
    -days Number of days that certificate will be valid
    -nodes Private Key is generated in unencrypted form and avoids prompting for a pass phrase every time the certificate is used
    -config <openssl_config_file> Path and file name of the OpenSSL configarion file (usually openssl.cnf)
    -*out <cert_name.pem> Path and file name of the certificate to be generated (both -out and -keyout arguments should point to the same file)
    Below is a sample screen output of the Certificate generation process using OpenSSL:
    E:\Program Files\Trend Micro\IMSS\ui\apache\bin>openssl.exe req -new -x509 -
    days 1460 -nodes -config openssl.cnf -out tsmtpd.pem -keyout tsmtpd.pem
    Loading 'screen' into random state - done
    Generating a 1024 bit RSA private key
    .................++++++
    ...................++++++
    writing new private key to 'tsmtpd.pem'
  2. Enter the information that would be incorporated into your certificate request. Enter a Distinguished Name or DN.
    There are some fields that you can leave blank, while others would have a default value. If you enter '.', the field will be left blank.
    Country Name (2 letter code) [PH]:
    Locality Name (eg, city) []:Manila
    Organization Name (eg, Company) []:Trend Micro
    Organizational Unit Name (eg, Department, Division) []:Global Training
    Common Name (eg, hostname or YOUR name) []:server01.tmcourse.net
    Email Address []:jm@support.trendmicro.com
    E:\Program Files\Trend Micro\IMSS\ui\apache\bin>
  3. Run the following command to change the certificate format to PFX, which is an acceptable format for version 7.1:
    openssl pkcs12 -export -out text.pfx -in
    where: "" is the .PEM file generated above
IMSS has the following restrictions:
  • Only unencrypted OpenSSL generated certificates are supported
  • Both Private and Public keys must be stored in the same PEM-format file
The\bin\pemverify.exe tool can be used to verify if a Certificate meets the requirements.
The generated certificate can then be uploaded to the SMTP Routing > Connections section of the administration console. The uploaded certificate is stored in tb_mta_config/ [Common]/ SSLCertData and can be exported to a file using the same section of the administration console.

 

Configuring the SMTP Service

Incoming TLS Settings
The default configuration of the IMSS SMTP Service does not require TLS for inbound connections to its SMTP port (default is port 25) but offers this option (STARTTLS) in response to the EHLO command from the SMTP client:
220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18
ehlo tmcourse.net
250-tmcourse.net
250-SIZE 16777216
250-8BITMIME
250 STARTTLS
The configuration can be modified to either force all inbound connections to use TLS or selectively force hosts to use TLS based on the IP address or Domain Name of the connection hosts (SMTP clients). When the SMTP Service is configured to force SMTP clients to use TLS and an SMTP client tries to send messages to the SMTP Service without first establishing TLS, the SMTP Service returns an error. Below is an example of such transaction:
220 tmcourse.net [ESMTP Server] service ready;ESMTP Server; 04/16/07 18:22:18
ehlo tmcourse.net
250-tmcourse.net
250-SIZE 16777216
250-8BITMIME
250 STARTTLS
mail from: <>
530 Must issue a STARTTLS command first -
Outgoing TLS Settings
The IMSS SMTP Service can be configured to establish TLS communication for all outgoing messages. Use the administration console to set up. If configured and the downsteam SMTP server supports TLS, the TLS communication is established. Otherwise, unencrypted SMTP communication is used.
This global outgoing TLS setting can be overwritten by the individual Domain-based Relay Host and Default Delivery Relay Host settings discussed in section 4.4.1 on p.87 and section 4.4.2 on p.88 respectively.
Note: The SMTP Service does not verify the authenticity of the Certificate it receives from the downstream MTA, nor does it check if the Common Name in the Certificate matches the FQDN of the downstream MTA.
Windows 2008 is only supported in IMSS 7.1 for Windows. You can refer to the IMSS 7.1 for Windows Readme for more information.


Rate this Solution
Did this article help you?

Please provide your comments to help us improve this solution.

 
  *This form is an automated system. General questions, technical, sales and product-related issues submitted through this form will not be answered.
 
 

Connect with us on