[Forcepoint] [Management] How to replace the Forcepoint web management certificate

Symptom:

The Forcepoint Security Manager shows a certificate warning when trying to access it

Cause:

This is caused by the fact that the default installation of the FSM uses a self-signed certificate for the management portal which is not trusted by the users.

Solution:

Please do the following create a CSR and apply a domain certificate to the management server:

1. Connect to the Forcepoint Security Manager server via RDP
2. Open the command line (Start > run > cmd) and navigate to the following path:
   

   D:\Program Files (x86)\Websense\EIP Infra\apache\bin

   Plain text

3. Run the following commands to generate a strong key and corresponding CSR:

   openssl genrsa -aes256 -out server.key 2048
   openssl req -out server.csr -pubkey -config "D:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf" -new -key server.key -sha256 -nodes

   Plain text
   Substitute the appropriate path for the default path shown in the example, and provide the following information when prompted:
   

   <country code> If your organization is located in the United States, for example, enter US.
   <state code> If your organization is located in California, for example, enter CA.
   <city name> For example, SanDiego.
   <organization> For example, MyCompany 
   <organizational unit> This may be a repeat of the organization name.
   <server IP address> Enter the IP address of the Websense Manager machine.
   <email address> For example, info@mycompany.com.

   Plain text

4. Fill in all the required details for the CSR

5. Open the server.csr file created in step 3 & 4, copy the certificate request section
   

   
   

6. Go to your domain CA requests website (usually https://ca-name/certsrv)

7. Pick Request Certificate > Advanced Certificate Request and paste the request in the correct field.

8. Pick a Web Server certificate template according to your organization's policy

9. Under attributes, you can add the Subject Alternative Names for your request, allowing the certificate to validate more then just the CN:

   san:ipaddress=10.1.1.200&dns=triton.bulwarx.com&dns=triton
   
   Where:
   ipaddress - the IPv4 address of the server
   dns - any name you want the certificate to verify

   Plain text

   your final request should look similar to this:
   

10. Click submit and download the DER certificate format
    

11. Rename the file to server.cer and transfer the certificate back to the server to the same folder as your key, e.g

    D:\Program Files (x86)\Websense\EIP Infra\apache\bin

    Plain text

    At this point, you should have 3 files in the bin folder: server.key, server.csr & server.cer

12. Use the following command to strip the key from its encryption:

    openssl rsa -in server.key >> server-nocrypt.key

    Plain text

13. Convert the DER certificate to PEM:

    openssl x509 -inform der -in server.cer -out server.pem

    Plain text

14. Transfer both the server.pem & server-nocrypt.key to the following folder:

    D:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd

    Plain text

15. Rename the existing certificate and key files to .old:

    httpd-server.cer => httpd-server.cer.old
    httpd-server.key.pk8 => httpd-server.key.pk8.old

    Plain text
16. Rename your new files to the correct file names:

    server.pem => httpd-server.cer
    server-nocrypt.key => httpd-server.key.pk8

    Plain text

17. Restart the Forcepoint web management services (Websense TRITON Web Server & Websense TRITON Unified Security Center):

    net stop EIPManager && net stop EIPManagerProxy && net start EIPManager && net start EIPManagerProxy

    Plain text

18. Access the web management URL via the CN or one of the configured SAN and make sure the certificate is no longer invalid: