KB Article | Forcepoint Support

Notes & Warnings

Note To Instead generate a Certificate Signing Request (CSR) utilizing Microsoft Internet Information Services (IIS), see Email SSL/TLS Certificate from a Third-Party Certificate Authority (CA)

Problem Description

How do I generate and import a CA signed certificate for TLS with Forcepoint Email Protection products (such as Forcepoint Email Security or TRITON AP-EMAIL)?


From the Forcepoint management server, as an Administrator, launch a command prompt and navigate to the ‘C:\Program Files (x86)\Websense\EIP Infra\apache\bin’ folder .

Note: Set command for OpenSSL config file - # set OPENSSL_CONF=C:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf

To generate the Private Key and Certificate Signing Request, complete the following steps:

  1. Generate a private key file, type:
    • openssl genrsa -des3 -out tls.key 2048

      You will be prompted to set a passphrase for the private key file.
  2. Generate a Certificate Signing Request (CSR) using the private key file, type:
    • openssl req -new -key tls.key -out certificaterequest.csr
      You will be prompted to enter the passphrase created previously in step 1, as well as to enter details for the certificate request. Complete the relevant details for your company. In the ‘Common Name’ field, ensure you enter the email protection server’s public facing DNS hostname.
Note: This DNS.hostname should be the same name used in your 'FSM > Settings > System Settings > Fully Qualified Domain Name (FQDN)' (also known as the HELO/EHLO name) and should resolve both the Forward (A Record) and Reverse (PTR Record) DNS lookup records to the same Public IP address to ensure recipient mail servers can fully verify your mail server's identity.
Example data follows: 
C:\Program Files (x86)\Websense\EIP Infra\apache\bin> openssl req -new -key tls.key -out certificaterequest.csr
Enter pass phrase for tls.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Texas
Locality Name (eg, city) [Default City]:Austin
Organization Name (eg, company) [Default Company Ltd]:Contoso
Organizational Unit Name (eg, section) []:IT Dept
Common Name (eg, your name or your server's hostname) []:mail.contoso.com
Email Address []:postmaster@contoso.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
C:\Program Files (x86)\Websense\EIP Infra\apache\bin>

  1. At this point, you generated two files; the private key file (tls.key) and the Certificate Signing Request file (certificaterequest.csr).
    • Send the Certificate Signing Request file (certificaterequest.csr) to a Certificate Authority (CA) for signing.
    • Protect the private key file (tls.key) and passphrase. Keep this information safe and confidential. To use the certificate, you will need the private key and passphrase.
  2. When the CA returns your certificate, from the ‘Program Files (x86)\Websense\EIP Infra\apache\bin’ folder on the TRITON management server, create a pfx file (containing your private key, server certificate and any intermediate certificates) by running the following command:
    • openssl pkcs12 -export -inkey tls.key –in [your_server_cert.cer] -certfile [your_intermediate_cert.cer] -out certificate.pfx  

      You will be prompted to enter the original passphrase for the tls.key file and to set a passphrase for the pfx file. Only use alphanumeric characters in this passphrase (A-Z or 0-9).
  3. You are now ready to import the certificate.pfx file into the gateway. Log into TRITON - Email Security and select Settings > Inbound/Outbound > TLS Certificate.
Note In cases where CA has provided separate root and intermediate certificate files, these can be combined with server certificate and private key to create .pfx. For more information please see:
ESG - How to create .pfx with full certificate chain

Keywords: certificate; tls; ssl; vulnerability; fsm; smtp connection; email relay configuration; import certificate; openssl

Article Feedback

Thank you for the feedback and comments.