KB Article | Forcepoint Support

Problem Description

How do I generate and install a certificate on client machines for i500 appliances?

 

Resolution

The instructions in this article are for self-generating a certificate for the tSaaS appliance using OpenSSL

Generating the certificate

  1. Download the OpenSSL for Windows tool, such as from Google Code Archive - Open SSL for Windows.
  2. Extract the ZIP file downloaded using an extractor such as  WinZIP , WinRAR or 7zip. 
  3. Open Command Prompt (cmd.exe) and navigate to the folder where the OpenSSL zip was extracted.
  4. Run the below commands in the Command Prompt window:

bin\openssl.exe genrsa -passout pass:1234 -des3 -out CA_key_password.pem 2048

bin\openssl.exe rsa -in CA_key_password.pem -passin pass:1234 -out CA_key.pem 

bin\openssl.exe req -x509 -days 11000 -new –sha256 -key CA_key.pem -out Path/CA_cert.pem -config openssl.cnf  

*openssl.exe x509 -outform der -in ca_cert.pem -out ca_cert.crt (convert .pem to crt)  

  1. Save the files CA_key.pem and CA_cert.pem in your File Server. Make sure no one has permissions to the location they are saved at, but the IT department.
 

Upload the Certificate to the Appliance

Uploading the certificates to the appliance is done via the Cloud Portal.
  1. Login to the Cloud Portal.
  2. Click Network Devices.
  3. Click your Appliance.
  4. Click Certificates.
  5. Mark "Use the following certificates:".
  6. Under Public certificate, Click the Choose File button. Choose your CA_cert.pem file, and click OK.
  7. Under Private certificate, Click the Choose File button. Choose your CA_key.pem file, and click OK.
  8. Click Save.
 

Download the Root Certificate for Cloud 

  1. Login to the Cloud Portal.
  2. Click Web Security.
  3. Choose your Policy.
  4. Click the SSL Decryption tab.
  5. Right-Click the Websense root certificate link and Choose save target as...
  6. Save the certificate along-side the certificates you self-generated.
 

Manually install the certificate on a Windows 7 machine

  1. Open the Run command (shortcut: Winkey+R).
  2. Type mmc and press OK.
  3. Click File, then Click Add/Remove Snap-ins.
  4. Choose Certificates, click Add.
  5. Choose Computer account, click Next, then click Finish and OK.
  6. Browse to Certificates > Trusted Root Certification Authorities > Certificates.
  7. Right-Click Certificates, choose import, then click Next.
  8. Click the Browse button, and choose the CA_cert.pem file. Click Next.
  9. Make sure that "Trusted Root Certificate Authorities" is written under "Place all certificates in the following store". Click Next.
  10. Click Finish.
 

Distribute the certificates using a GPO

Important These instruction were written for Windows Server 2012. They might differ between different versions of Windows Server.
  1. Open Group Policy Management Console.
  2. Choose a GPO you wish to enroll the certificate though. Right-Click it and Choose Edit. Note It is recommended that you make these changes on a test OU first.
  3. Browse to Computer Configuration > Windows Settings > Security Settings >Public Key Policies > Trusted Root Certification Authorities.
  4. Right-Click Trusted Root Certificate Authorities and Choose import. Click Next.
  5. Click the Browse button, and choose the CA_cert.pem file.
  6. Make sure that "Trusted Root Certificate Authorities" is written under "Place all certificates in the following store". Click Next. Click Finish.

To force the settings onto a client machine, use one of the following methods:
  • Force through GPO update. 
  1. Start Command Prompt.
  2. Type gpupdate /force
  3. Check if the certificate shows up on Internet Explorer.
  • Restart the machine and then check if the certificate shows up on Internet Explorer.

Article Feedback



Thank you for the feedback and comments.