Certificate checking for program updates was further enhanced in later product versions. Please refer to the following article for more details: Enhancement for digital signature checking in OfficeScan.
These issues occur when Apex One is installed on a Windows machine without direct Internet connection for downloading certificate updates. These certificates are necessary on the endpoints, as well as the server itself.
To resolve this issue, perform the following:
- Download the EasyFix for System Certificates tool.
- Extract all files (Password: trend) to a temp folder (e.g. C:\EasyFixTool)
- Start a Command Prompt with Administrator Privileges
- Change path to the temp folder containing EasyFixSysCerts.exe
- Run the applicable commands:
- Inspect and import missing certificates for Trend Micro Apex One
- EasyFixSysCerts.exe A1
- Inspect and import missing certificates for Trend Micro Vision One agent
- EasyFixSysCerts.exe V1
- Inspect and import missing certificates for Trend Micro Apex One
The tool executes silently. To verify the result, perform the following:
- On the folder where EasyFixSysCerts.exe was executed, open \Log\SCPeasyFix.txt.
- Navigate to the bottom of the log file and look for the following:
- Fixing result is True - Successful execution
- Fixing result is False - Failed execution
- Download the root and intermediate certificates from the following links:
- DigiCert Assured ID Root CA (SHA256 Fingerprint: 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C)
- DigiCert High Assurance EV Root CA (SHA256 Fingerprint: 74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF)
- DigiCert Trusted Root G4 (SHA256 Fingerprint: 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88)
- Microsoft Identity Verification Root Certificate Authority 2020 (SHA-1 Thumbprint: f40042e2e5f7e8ef8189fed15519aece42c3bfa2)
- VeriSign Class 3 Public Primary Certification Authority - G5 (SHA-1 Thumbprint: 4E B6 D5 78 49 9B 1C CF 5F 58 1E AD 56 BE 3D 9B 67 44 A5 E5)
- VeriSign Universal Root Certification Authority (SHA-1 Thumbprint: 36 79 CA 35 66 87 72 30 4D 30 A5 FB 87 3B 0F A7 7B B7 0D 54)
- DigiCert EV Code Signing CA (SHA2) (SHA256 Fingerprint: C7:46:0B:0E:DD:A1:B4:4C:8E:21:64:B2:34:EB:EC:C3:96:2A:6A:37:A9:36:B7:4A:6E:7D:46:68:29:38:F0:84)
- DigiCert EV Code Signing CA (SHA256 Fingerprint: 37:63:77:FD:1F:AF:4B:8A:5B:14:72:64:7A:70:B9:41:03:9A:62:D7:4C:FE:99:44:7E:48:61:6F:8D:63:A9:78)
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 (SHA256 Fingerprint: 46:01:1E:de:1C:14:7E:B2:BC:73:1A:53:9B:7C:04:7B:7E:E9:3E:48:B9:D3:C3:BA:71:0C:E1:32:BB:DF:AC:6B)
- DigiCert High Assurance Code Signing CA-1 (SHA256 Fingerprint: 00:7D:2C:8B:15:78:62:32:BA:C0:EA:A3:1F:60:AA:E0:6D:C5:72:92:1B:AD:0D:46:C7:71:07:D8:C2:DC:A4:B3)
- USERTrust RSA Certification Authority (SHA256 Fingerprint: 2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e)
- Thawte Primary Root CA (self-signed) - Root Certificate (tbs-certificates.co.uk) (SHA-1 Thumbprint: 91c6d6ee3e8ac86384e548c299295c756c817b81)
- GlobalSign Root CA - R3 - Root certificate (tbs-certificates.co.uk) (SHA256 Fingerprint: d69b561148f01c77c54578c10926df5b856976ad)
- Symantec Class 3 SHA256 Code Signing CA
Note the BEGIN CERTIFICATE and END CERTIFICATE lines. You can paste those and everything in between to Notepad and save it as Symantec_Class3_SHA256_code.crt.
- Microsoft Root Certificate Authority 2011 (MicRooCerAut2011_2011_03_22.crt)
- Microsoft Root Certificate Authority 2010 (MicRooCerAut_2010-06-23.crt)
- Thawte Timestamping CA (Thawte_Timestamping_CA.pem)
- Microsoft Root Authority (F38406E540D7A9D90CB4A9479299640FFB6DF9E224ECC7A01C0D9558D8DAD77D.crt)
Certificates are free. If you encounter any issues, contact Trend Micro Technical Support. - Install each certificate on the affected product server and problem endpoints.
- Open the certificate and click Install Certificate...
- Click Next when the Certificate Import Wizard appears.
- For Windows 2012, select Local Machine and click Next.
- Select "Place all certificates in the following store" and click Browse.
- Check Show physical stores > Trusted Root Certification Authorities > Local Computer and click OK.
- For 2016 and above, just choose "Trusted Root Certification Authorities" and click OK.
- For Domain users, refer to this external article.
- For 2016 and above, just choose "Trusted Root Certification Authorities" and click OK.
- Click Finish. "The import was successful" message should appear.
The certificate-related issues should be resolved.
If manually adding the certificates and performing a Windows Update does not work, check for a Group Policy Object (GPO) that turns off Automatic Root Certificates Update:
- Go to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > "Turn off Automatic Root Certificates Update".
- Make sure that the value is set to "Not configured" (default value).