Using externally generated certificates for Marshal Interface Agent


This article applies to:

  • MailMarshal SPE 3.6 and above

Question:

  • How do I use my own certificate for the Marshal Interface Agent connection to Marshal Agents?
  • Using a certificate from a Certificate Authority for MIA

Procedure:

  1. Stop the MIA service and all Marshal Agent services that connect to it
  2. Delete the binding of the existing certificate with the MIA port
    1. Run netsh (Make sure that you have administrator privileges, for instance by using runas or starting netsh from an elevated command prompt).
    2. At the netsh> prompt, change to http context by entering http
    3. (Optional) At the netsh http> prompt, you can verify that the MIA port is bound by entering
      show sslcert
    4. Remove the MIA port binding by entering
       delete sslcert ip=0.0.0.0:19200
       
      The utility should confirm that the delete was successful.
  3. Manage certificates:
    1. Run MMC from Start>Run
    2. Add the Certificate snap-in for the local computer account
    3. Navigate to Certificates (Local Computer)\Personal\Certificates
  4. (Optional) Delete the default MIA certificate from the certificate store.
    • Note: You may wish to leave this certificate in the store as a backup. The certificate cannot be fully exported for backup, because the private key cannot be exported.
    1. Locate a certificate that is issued to computer_name by computer_name (where computer_name is the name of the server) and the Subject contains the following properties:
      • OU = Marshal Dev
      • O = Trustwave
      • CN = computer_name
    2. Remove that certificate.
  5. Insert your own certificate into the computer account certificate store, under the Personal store. The certificate can be a standard web server certificate ordered from a Certificate Authority. If you are creating your own certificate, it must meet the following criteria:
    • Certificate needs to contain a private key
    • Certificate subject: CN attribute must be the resolveable name of the computer where MIA is installed (DNS name or computer name). This is the server name you will enter when connecting.                          
    • Key usage: Digital Signature, Key Encipherment, Data Encipherment
    • Intended purpose: Server Authentication
  6. Copy the certificate hash (Thumbprint) formatted without spaces in between values
     for example: 035c49f034ee505b8d1cad1f3485fb642b470607
  7. Add the binding for the MIA port
    1. Run netsh as administrator
    2. At the netsh> prompt, change to http context by entering http
    3. At the netsh http> prompt, enter following command:
       add sslcert ip=0.0.0.0:19200 certhash=paste the hash from the step above appid={f0bd00f1-a9f0-4466-bd36-ee495fa9cc25}
      • For example:
        add sslcert ip=0.0.0.0:19200 certhash=035c49f034ee505b8d1cad1f3485fb642b470607 appid={f0bd00f1-a9f0-4466-bd36-ee495fa9cc25}
  8. Verify that the binding exists (at the netsh http> prompt, enter show sslcert)
  9. Start the MIA service
  10. Re-register all of the Marshal Agents using the Marshal Client Settings application (found on the Start Menu of each server).
    • In the URL field, be sure to specify the CN used in the new certificate.
  11. Start Marshal Agent services.

Last Modified 11/13/2013.
https://support.trustwave.com/kb/KnowledgebaseArticle16205.aspx