When trying to import the renewed SMTP and HTTPS Certificate into the Interscan Messaging Security Virtual Appliance (IMSVA), it returns the following message:
Unable to import the file. No matched private key can be found.
Normally, the Certificate Signing Request (CSR) is generated from the IMSVA console and signed on Digicert. However, when the CSR is generated from the IMSVA console, there is no private key included. The private key is required for successful import.
Instead of the IMSVA console, generate the CSR via the built-in openssl command inside the IMSVA CLI window. Below are the steps:
- Open the CLI of the IMSVA VM and login as root.
- Enter the following commands to generate the CSR with private key:
openssl genrsa -out /tmp/<imsva_key>.pem 2048 openssl req -new -key /tmp/<imsva_key.pem> -out /tmp/<imsva_req.pem>
- Fill out the required information during the process of creating the CSR. If successful, the sample output should be seen below:
[root@imsva ~]# openssl genrsa -out /tmp/imsva_key.pem 2048 Generating RSA private key, 2048 bit long modulus ........................................................+++ ...................................................................+++ e is 65537 (0x10001) [root@imsva ~]# [root@imsva ~]# openssl req -new -key /tmp/imsva_key.pem -out /tmp/imsva_req.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) :Munich Organization Name (eg, company) [Internet Widgits Pty Ltd]:Trend Micro Organizational Unit Name (eg, section) :Global Training Common Name (e.g. server FQDN or YOUR name) :imsva.course.test Email Address : Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : [root@imsva ~]#
- Use a third-party tool (WinSCP, Filezilla, etc.) to retrieve the two files from the /tmp/ folder: <imsva_key>.pem and <imsva_req>.pem.
- Send the <imsva_req>.pem to Digicert for signing.
- After the certificate has been signed, go back to the IMSVA console and import the certificate.
Click the image to enlarge.
- Upload both the signed certificate and private key. In addition, enter the password previously set under Step 2 and once done, click the Import button.
Click the image to enlarge.
- Once successfully imported, the new certificate should be listed under the SMTP and HTTPS Certificates tab.