Running /.Mkcert.Sh

Running /.mkcert.sh

Here is the script that is displayed as mkcert.sh runs:
SSL Certificate Generation Utility (mkcert.sh)
Generating custom certificate signed by own CA [CUSTOM]
______
STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
1538117 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.....++++++
...... +++ +++
e is 65537 (0x10001)
______
STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
Using the configuration from /opt/trend/ISADMIN/IScan.adm/conf/.mkcert.cfg, type information that will be incorporated into your certificate request.
The information you provide is called a Distinguished Name (DN). There are quite a few fields, but you can leave some of them blank. For some fields there will be a default value; if you enter “.”, the field will be left blank.
1. Country Name (2 letter code) [US]:
2. State or Province Name (full name) [California]:
3. Locality Name (e.g., city) [Cupertino]:
4. Organization Name (e.g., company) [Trend Micro]:
5. Organizational Unit Name (e.g., section) [Web Team]:
6. Common Name (e.g., CA name) [California CA]:
7. Email Address (e.g., name@FQDN) [:
8. Certificate Validity (days) [365]:
Note: In STEP 2:, you can accept all of the default values, except for 6. Common Name (e.g., CA name) [California CA]:
For this value, you first need to verify whether California CA currently exists in Internet Explorer. To do this, choose Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities) and look under Issued to name and Issued by name. If this name already exists, type another name at the prompt.

______
STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]:
Signature ok
subject=/C=US/ST=California/L=Cupertino/O=Trend Micro/
OU=WebTeam/CN=California CA/Email=
Getting Private key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
/opt/trend/ISADMIN/IScan.adm/conf/ssl.crt/ca.crt:
/C=US/ST=California/L=Cupertino/O=Trend Micro/
OU=Web Team/CN=California CA/Email=
error 18 at 0 depth lookup:self signed certificate
OK
The error 18 message means that the passed certificate is self signed and cannot be found in the list of trusted certificates.
______
STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]:
1538302 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...... ++++++
...... ++++++
e is 65537 (0x10001

)
______
STEP 5: Generate a X.509 certificate signing request for SERVER
[server.csr]:
Using the configuration from /opt/trend/ISADMIN/IScan.adm/conf/.mkcert.cfg, type information that will be incorporated into your certificate request. The information you are about to enter is what is called a Distinguished Name (DN). There are quite a few fields, but you can leave some blank. For some fields there will be a default value; if you enter “.”, the field will be left blank.
1. Country Name (2 letter code) [US]:
2. State or Province Name (full name) [California]:
3. Locality Name (e.g., city) [Cupertino]:
4. Organization Name (e.g., company) [Trend Micro]:
5. Organizational Unit Name (e.g., section) [Web Team]:
6. Common Name (e.g., FDQN) [
123.123.123.12
7. Email Address (e.g., name@FQDN) [:
8. Certificate Validity (days) [365]:
Note: In STEP 5, the name you type for Common Name (e.g., FQDN) [ must be the Unix machine to which InterScan WebProtect is installed. If the IP address is used, be sure that the same IP address is entered in the browser, because the Apache SSL module cannot resolve IP addresses.
______
STEP 6: Generate X.509 certificate signed by your CA [server.crt]:
Signature ok
subject=/C=US/ST=California/L=Cupertino/O=Trend Micro/OU=Web Team/
CN=123.123.123.12/Email=
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
/opt/trend/ISADMIN/IScan.adm/conf/ssl.crt/server.crt: OK
______
STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]:
read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Fine, you’re using an encrypted private key.
______
STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: y
read RSA key
writing RSA key
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
Fine, you’re using an encrypted RSA private key.
______
RESULT: CA and Server Certification Files
o conf/ssl.key/ca.key
The PEM-encoded RSA private key file of the CA which you can use to sign other servers or clients. KEEP THIS FILE PRIVATE!
o conf/ssl.crt/ca.crt
The PEM-encoded X.509 certificate file of the CA which you use to sign other servers or clients. When you sign clients with it (for SSL client authentication) you can configure this file with the 'SSLCACertificateFile' directive.
o conf/ssl.key/server.key
The PEM-encoded RSA private key file of the server that you configure with the “SSLCertificateKeyFile” directive. (This step is automatically done when you install using APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file of the server which you configure with the “SSLCertificateFile” directive (automatically done when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request of the server file which you can send to an official Certificate Authority (CA) to request a real server certificate (signed by this CA instead of our own CA) which later can replace the conf/ssl.crt/server.crt file.
Congratulations that you establish your server with real certificates.
______
In /opt/trend/ISADMIN/IScan.adm/conf/ssl.cert, the following keys have been generated:
o ca.crt
o server.crt
In /opt/trend/ISADMIN/IScan.adm/conf/ssl.key, the following keys have been generated:
o ca.key
o server.key
You are now ready to FTP to your computer and import ca.crt to Internet Explorer.
Note: The “/opt/trend” portion of these directory paths is configurable.
Importing ca.crt to Internet Explorer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
a. Now that you have generated a new key, FTP /opt/trend/ISADMIN/IScan.adm/conf/ssl.crt/ca.crt to your computer and double-click ca.crt. In the next window, click Install Certificate and follow the wizard to install the certificate.
If an identical key currently exists, remove it before you proceed to the next step.
b. After successfully importing this certificate, in Internet Explorer, choose Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities to see California CA listed under the Issued to and Issued by names.
Restarting the InterScan admin Web server
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
To restart InterScan admin Web server and use the new key, run the following:
o /etc/rc2.d/S99IScanHttpd stop
o /etc/rc2.d/S99IScanHttpd start
Opening the InterScan WebProtect Web UI
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To access the InterScan WebProtect Web UI, use the following URL: