Creating the Endpoint SSL Identity

For the Forcepoint Agent to be able to securely communicate with your Outlook Email client, the Endpoint must be given an SSL identity, and the client machine must be set up to trust that identity.

Note: The steps in this procedure are needed to be done only if you want to create your own SSL identity and do not want to use the default one provided with the installer.

Forcepoint recommends the simplest way to do this is to create a self-signed certificate that can be bundled with the Endpoint installation package along with the private key that was used to generate the certificate. This document explains how to generate this certificate using OpenSSL. You must have OpenSSL installed on your machine before you can attempt the steps below.

Resources

Creation of an SSL Identity for your endpoints with OpenSSL uses a configuration file. A template file can be downloaded here.

Creating the SSL Identity

  1. Download the template file provided.
  2. Replace the values in angle brackets (<>) with the appropriate information for your organization.:
    • Be sure to remove all the angle brackets from the document.
    • Country name can only have a maximum of 2 characters entered.
    • Values not in angle brackets are defaults and can be left unchanged.
    • The CN must be entered as localhost and the subjectAltName must be entered as DNS:localhost.

    Following is a template for the configuration file:

  3. Once complete, save the file as localhost.config in a directory of your choice.
  4. Open a terminal application and cd to the directory you saved the localhost.config file.
  5. Run the following command from the same directory to create the key files: 
    openssl req -x509 -newkey rsa:4096 -keyout key.pem -out server.pem -sha256 -config localhost.config -days 10950 -nodes

    This command will create the following files:

    • key.pem: Private key for the SSL identity. This file is deployed to the endpoint clients.
    • server.pem: Self-signed certificate for the SSL identity. This file is deployed to the endpoint clients.
  6. (Optional) If you plan to install the agent via Jamf then you must convert the cert to its binary encoded DER format. In this case run the following additional command:
    openssl x509 -in server.pem -out server.der -outform DER

Next Steps: As a next step, you can either proceed with manual agent installation or choose to automatically install using an MDM solution like Jamf.