Creating the Endpoint SSL Identity

For the Forcepoint F1E agent to be able to securely communicate with your Outlook Email client, the Endpoint must be given an SSL identity, and the client machine must be set up to trust that identity.

Before you begin

You must have OpenSSL installed on your machine.

Forcepoint recommends to create a self-signed certificate that can be bundled with the Endpoint installation package along with the private key used for generating the certificate. This document explains how to generate this certificate using OpenSSL.
Note: You can follow the steps in this procedure only if you want to create your own SSL identity and do not want to use the default one provided with the installer.

Creation of an SSL Identity for your endpoints with OpenSSL uses a configuration file.

Steps

  1. Open the configuration file template.


  2. Replace the values in angle brackets (<>) with the appropriate information for your organization:
    • Be sure to remove all the angle brackets from the document.
    • Country name can only have a maximum of two characters entered.
    • Values not in angle brackets are defaults and can be left unchanged.
    • The CN must be entered as localhost and the subjectAltName must be entered as DNS:localhost.
  3. Once complete, save the file as localhost.config in a directory of your choice.
  4. Open a terminal application and cd to the directory you saved the localhost.config file.
  5. Run the following command from the same directory to create the key files:
    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out server.pem -sha256 -config localhost.config -days 10950 -nodes
    The command creates the following files:
    • key.pem: Private key for the SSL identity. This file is deployed to the endpoint clients.
    • server.pem: Self-signed certificate for the SSL identity. This file is deployed to the endpoint clients.
  6. Run the Websense Endpoint Package Builder on the management server and create new MAC Endpoint installation package.
  7. Unzip the new mac Endpoint Installer FORCEPOINT-ONE-ENDPOINT-Mac.zip.
  8. To place both PEM files in the same directory of the WebsenseEndpoint.pkg file, copy server.pem and key.pem into the newly created Endpoint Mac Installer in directory \FORCEPOINT-ONE-ENDPOINT-Mac\EndpointInstaller\.
  9. Zip folder back up again.
  10. Install the new package on the Mac clients.
  11. Optional: If you plan to install the agent via Jamf, then you must convert the certificate to its binary encoded DER format.