Symptom:
The Forcepoint Security Manager shows a certificate warning when trying to access it
Cause:
This is caused by the fact that the default installation of the FSM uses a self-signed certificate for the management portal which is not trusted by the users.
Solution:
Please do the following create a CSR and apply a domain certificate to the management server:
- Connect to the Forcepoint Security Manager server via RDP
- Open the command line (Start > run > cmd) and navigate to the following path:
D:\Program Files (x86)\Websense\EIP Infra\apache\bin
Run the following commands to generate a strong key and corresponding CSR:
openssl genrsa -aes256 -out server.key 2048 openssl req -out server.csr -pubkey -config "D:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf" -new -key server.key -sha256 -nodes
Substitute the appropriate path for the default path shown in the example, and provide the following information when prompted:<country code> If your organization is located in the United States, for example, enter US. <state code> If your organization is located in California, for example, enter CA. <city name> For example, SanDiego. <organization> For example, MyCompany <organizational unit> This may be a repeat of the organization name. <server IP address> Enter the IP address of the Websense Manager machine. <email address> For example, [email protected].
Fill in all the required details for the CSR
Open the server.csr file created in step 3 & 4, copy the certificate request section
Go to your domain CA requests website (usually https://ca-name/certsrv)
Pick Request Certificate > Advanced Certificate Request and paste the request in the correct field.
Pick a Web Server certificate template according to your organization's policy
Under attributes, you can add the Subject Alternative Names for your request, allowing the certificate to validate more then just the CN:
san:ipaddress=10.1.1.200&dns=triton.bulwarx.com&dns=triton Where: ipaddress - the IPv4 address of the server dns - any name you want the certificate to verify
your final request should look similar to this:
Click submit and download the DER certificate format
Rename the file to server.cer and transfer the certificate back to the server to the same folder as your key, e.g
D:\Program Files (x86)\Websense\EIP Infra\apache\bin
At this point, you should have 3 files in the bin folder: server.key, server.csr & server.cer
Use the following command to strip the key from its encryption:
openssl rsa -in server.key >> server-nocrypt.key
Convert the DER certificate to PEM:
openssl x509 -inform der -in server.cer -out server.pem
Transfer both the server.pem & server-nocrypt.key to the following folder:
D:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd
Rename the existing certificate and key files to .old:
httpd-server.cer => httpd-server.cer.old httpd-server.key.pk8 => httpd-server.key.pk8.old
- Rename your new files to the correct file names:
server.pem => httpd-server.cer server-nocrypt.key => httpd-server.key.pk8
Restart the Forcepoint web management services (Websense TRITON Web Server & Websense TRITON Unified Security Center):
net stop EIPManager && net stop EIPManagerProxy && net start EIPManager && net start EIPManagerProxy
Access the web management URL via the CN or one of the configured SAN and make sure the certificate is no longer invalid:
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article