"Apex One Agents do not have a valid Apex One Server certificate" appears on the dashboard

Product / Version includes:

OfficeScan11.0 , Apex OneAll

Last updated: 2021/08/28

Solution ID: KA-0004099

Category: Troubleshoot

Summary

Starting with OfficeScan 11.0, the server-agent communication was enhanced to ensure that communication to and from the server is secured and trusted. This happens through authentication keys. The server signs the data using a private key, while the agent verifies it via public key.

When the server and agent keys mismatch, agents cannot download the new settings from the server. The Apex One server dashboard shows the following message:

One or more Security Agents do not have a valid OfficeScan server certificate.

To resolve the issue:

EXPAND ALL

For On-Premise versions

Identify the agents with mismatched certificates.
1. On the Apex One server, open a command prompt and change the directory to <Server installation folder>\PCCSRV\Admin\Utility\CertificateManager.
  When using the Authentication Certificate Manager Tool, note the following requirements:
  - The user must have administrator privileges.
  - The tool can only manage certificates located on the local endpoint.
2. Run command "CertificateManager.exe -l [Output CSV file full path]".
  For example:
  
  CertificateManager.exe -l D:\Test\MismatchedAgentList.csv
  
  All the agents with a mismatched certificate will be listed in a CSV file.
Recover the agent certificate by doing one of the following:
- Option 1: Copy the IpXfer ([Server Path]\PCCSRV\Admin\Utility\IpXfer) and agent certificate ([Server Path]\PCCSRV\Pccnt\Common\OfcNTCer.dat) to the agent with a mismatched certificate.
  Execute the following command:
  
  IpXfer.exe/IpXfer_x64.exe -s <Target server name or IP> -p <server HTTP port> -sp <server HTTPS port> -c <agent port> -e OfcNTCer.dat -pwd <agent unload password>
  
  For example:
  
  IpXfer_x64.exe -s apexone.contoso.local -p 8080 –sp 4343 -c 12345 –e OfcNTCer.dat -pwd P@ssw0rd
  
  Ipxfer parameters vary among versions. Go to the following article for more information: Manually transferring OfficeScan clients/agents using Client Mover I/Ipxfer tool.
- Option 2: Reinstall the agent.
  
  The Administrator can use single or multiple authentication keys across multiple OfficeScan servers in the same organization. View Authentication of Server-initiated Communications for more information.

If the issue persists, please contact Trend Micro Technical Support for assistance.

For Apex One as a Service

Contact your authorized Trend Micro Technical Support contact.
Provide your Customer Licensing Portal (CLP) Account and Apex One as a Service provision URL to Technical Support as well as issue details.
Obtain agent certificate from Technical Support.
Deploy the certificate to agents that reported this issue.
Please refer to Manually transferring OfficeScan clients/agents using Client Mover I/Ipxfer tool for details.

As an alternative option, you can also reinstall the agent to fix this issue.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

"Apex One Agents do not have a valid Apex One Server certificate" appears on the dashboard

For On-Premise versions

For Apex One as a Service

"Apex One Agents do not have a valid Apex One Server certificate" appears on the dashboard

Product / Version includes:

Summary

For On-Premise versions

For Apex One as a Service