Symptom:


The Forcepoint Security Manager shows a certificate warning when trying to access it



Cause:


This is caused by the fact that the default installation of the FSM uses a self-signed certificate for the management portal which is not trusted by the users.



Solution:


Please do the following create a CSR and apply a domain certificate to the management server:

  1. Connect to the Forcepoint Security Manager server via RDP
  2. Open the command line (Start > run > cmd) and navigate to the following path:
    D:\Program Files (x86)\Websense\EIP Infra\apache\bin
  3. Run the following commands to generate a strong key and corresponding CSR:

    openssl genrsa -aes256 -out server.key 2048
    openssl req -out server.csr -pubkey -config "D:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf" -new -key server.key -sha256 -nodes
    Substitute the appropriate path for the default path shown in the example, and provide the following information when prompted:
    <country code> If your organization is located in the United States, for example, enter US.
    <state code> If your organization is located in California, for example, enter CA.
    <city name> For example, SanDiego.
    <organization> For example, MyCompany 
    <organizational unit> This may be a repeat of the organization name.
    <server IP address> Enter the IP address of the Websense Manager machine.
    <email address> For example, info@mycompany.com.
  4. Fill in all the required details for the CSR

  5. Open the server.csr file created in step 3 & 4, copy the certificate request section


  6. Go to your domain CA requests website (usually https://ca-name/certsrv)

  7. Pick Request Certificate > Advanced Certificate Request and paste the request in the correct field.

  8. Pick a Web Server certificate template according to your organization's policy

  9. Under attributes, you can add the Subject Alternative Names for your request, allowing the certificate to validate more then just the CN:

    san:ipaddress=10.1.1.200&dns=triton.bulwarx.com&dns=triton
    
    Where:
    ipaddress - the IPv4 address of the server
    dns - any name you want the certificate to verify

    your final request should look similar to this:

  10. Click submit and download the DER certificate format

  11. Rename the file to server.cer and transfer the certificate back to the server to the same folder as your key, e.g

    D:\Program Files (x86)\Websense\EIP Infra\apache\bin

    At this point, you should have 3 files in the bin folder: server.key, server.csr & server.cer

  12. Use the following command to strip the key from its encryption:

    openssl rsa -in server.key >> server-nocrypt.key
  13. Convert the DER certificate to PEM:

    openssl x509 -inform der -in server.cer -out server.pem
  14. Transfer both the server.pem & server-nocrypt.key to the following folder:

    D:\Program Files (x86)\Websense\EIP Infra\apache\conf\keystore\httpd
  15. Rename the existing certificate and key files to .old:

    httpd-server.cer => httpd-server.cer.old
    httpd-server.key.pk8 => httpd-server.key.pk8.old
  16. Rename your new files to the correct file names:
    server.pem => httpd-server.cer
    server-nocrypt.key => httpd-server.key.pk8
  17. Restart the Forcepoint web management services (Websense TRITON Web Server & Websense TRITON Unified Security Center):

    net stop EIPManager && net stop EIPManagerProxy && net start EIPManager && net start EIPManagerProxy
  18. Access the web management URL via the CN or one of the configured SAN and make sure the certificate is no longer invalid: