Views:
 
Certificate checking for program updates was further enhanced in later product versions. Please refer to the following article for more details: Enhancement for digital signature checking in OfficeScan.

These issues occur when Apex One is installed on a Windows machine without direct Internet connection for downloading certificate updates. These certificates are necessary on the endpoints, as well as the server itself.

To resolve this issue, perform the following:

  1. Download the EasyFix for System Certificates tool.
  2. Extract all files (Password: trend) to a temp folder (e.g. C:\EasyFixTool)
  3. Start a Command Prompt with Administrator Privileges
  4. Change path to the temp folder containing EasyFixSysCerts.exe
  5. Run the applicable commands:
    • Inspect and import missing certificates for Trend Micro Apex One
      • EasyFixSysCerts.exe A1
    • Inspect and import missing certificates for Trend Micro Vision One agent
      • EasyFixSysCerts.exe V1
 
The tool executes silently. To verify the result, perform the following:
  1. On the folder where EasyFixSysCerts.exe was executed, open \Log\SCPeasyFix.txt.
  2. Navigate to the bottom of the log file and look for the following:

    Fixing result is true

    • Fixing result is True - Successful execution
    • Fixing result is False - Failed execution
 
  1. Download the root and intermediate certificates from the following links:
     
    Certificates are free. If you encounter any issues, contact Trend Micro Technical Support.
  2. Install each certificate on the affected product server and problem endpoints.
  3. Open the certificate and click Install Certificate...
  4. Click Next when the Certificate Import Wizard appears.
  5. For Windows 2012, select Local Machine and click Next.
  6. Select "Place all certificates in the following store" and click Browse.
  7. Check Show physical stores > Trusted Root Certification Authorities > Local Computer and click OK.

    • For 2016 and above, just choose "Trusted Root Certification Authorities" and click OK.

      Trusted Root CA

    • For Domain users, refer to this external article.
  8. Click Finish. "The import was successful" message should appear.

The certificate-related issues should be resolved.

If manually adding the certificates and performing a Windows Update does not work, check for a Group Policy Object (GPO) that turns off Automatic Root Certificates Update:

  1. Go to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > "Turn off Automatic Root Certificates Update".
  2. Make sure that the value is set to "Not configured" (default value).