KB Article | Forcepoint Support

Problem Description

How do I generate and import a CA signed certificate for TLS with Triton Email Protection products (such as Email Security Gateway or TRITON AP-EMAIL)?


From the TRITON management server, as an Administrator, launch a command prompt and navigate to the ‘Program Files (x86)\Websense\EIP Infra\apache\bin’ folder.

Note: Set command for OpenSSL config file - # set OPENSSL_CONF=C:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.conf

To generate the Private Key and Certificate Signing Request, complete the following steps:

  1. Generate a private key file, type:
    • openssl genrsa -des3 -out tls.key 2048
      You will be prompted to set a passphrase for the private key file.
  2. Generate a Certificate Signing Request (CSR) using the private key file, type:
    • openssl req -new -config "C:\Program Files (x86)\Websense\EIP Infra\apache\conf\openssl.cnf" -key tls.key -out certificaterequest.csr
      You will be prompted to enter the passphrase created previously in step 1, as well as to enter details for the certificate request. Complete the relevant details for your company. In the ‘Common Name’ field, ensure you enter the email protection server’s public facing hostname. A screenshot of the prompts and example data follows: 
      User-added image
  3. At this point, you generated two files; the private key file (tls.key) and the Certificate Signing Request file (certificaterequest.csr).
    • Send the Certificate Signing Request file (certificaterequest.csr) to a Certificate Authority (CA) for signing.
    • Protect the private key file (tls.key) and passphrase. Keep this information safe and confidential. To use the certificate, you will need the private key and passphrase.
  4. When the CA returns your certificate, from the ‘Program Files (x86)\Websense\EIP Infra\apache\bin’ folder on the TRITON management server, create a pfx file (containing your private key, server certificate and any intermediate certificates) by running the following command:
    • openssl pkcs12 -export -inkey tls.key –in [your_server_cert.cer] -certfile [your_intermediate_cert.cer] -out certificate.pfx 
      You will be prompted to enter the original passphrase for the tls.key file and to set a passphrase for the pfx file. Only use alphanumeric characters in this passphrase (A-Z or 0-9).
  5. You are now ready to import the certificate.pfx file into the gateway. Log into TRITON - Email Security and select Settings > Inbound/Outbound > TLS Certificate.


Article Feedback

Thank you for the feedback and comments.