The Apex One Server NTSG certificate is located in the Local Machine certificate store in OfficeScan NT on the Apex One Server.
The ofcsslagent certificate will exist on any endpoint with Apex One Security Agent installed, and will be in the Local Machine store in “OfficeScan SSL Agent”.
Paths in this article assume installation to the default location. If installed elsewhere, paths should be modified to match your environment.
To renew the NSTG certificate:
- Open Command Prompt as Administrator.
- Type:
cd C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\CertificateManager
- Command:
CertificateManager.exe -c [Backup_Password]
This generates a new Trend Micro certificate and replaces the existing certificate.
Upon installing Apex One, you generate a certificate (valid for 3 years) and enter a backup password. This password is the one that needs to be used. As an example:
CertificateManager.exe -c 123456
Take note that Apex One does not support the use of 3rd-party signed certificates for server-to-agent communication.
To back up the new NTSG certificate:
- Open Command Prompt as Administrator.
- Type:
cd C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\CertificateManager
- Command:
CertificateManager.exe -b [Password] [Certificate Path]
For example:
CertificateManager.exe -b 123456 C:\Backup
After these steps are finished, you will see that the new Apex One Server NTSG is stored in the same location. The old one will be stored in OfficeScan NT Expired.
To update ofcsslagent:
- Use TMtouch tool to touch lssacfo2.dat file and trigger ofchotfix.exe by copying lssacfo2.dat from C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common folder to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\Touch.
- Open Command Prompt as Administrator and navigate to C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\Touch.
- Execute:
"tmtouch.exe lssacfo2.dat"
The date modified timestamp should be modified to the current time/date.
- Copy lssacfo2.dat back to C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common.
- Open Task Manager and monitor for ofchotfix.exe.
- Verify that ofchotfix.exe has been triggered.
- Wait for ofchotfix.exe to finish and close.
If ofchotfix.exe was NOT triggered automatically:
- In the Command Prompt, navigate to C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Web\Service.
- Run:
ofchotfix.exe 2 -1
- Run:
ofchotfix 6 -1
- Reboot the Apex One server and verify that the NTSG certificate has been renewed.
The endpoints will start updating the ofcsslagent certificates.
If lssacfo2.dat does not exist or an error such as the following is seen, the lssacfo2.dat file may need to be regenerated.
07-29-19 17:22:52,640 [13448] ERROR debug_log <> - [.\ths_TmHttpServerController.cpp:400][TM::HttpServer::CHttpController::SetHTTPSCertificate]HttpSetServiceConfiguration failed! , Ret = 1312
In apricot.log, the error code 1312 is returned when the certificate was missing the private key or can't find the certificate in the certificate store.
To regenerate the ofcsslagent certificate:
- Back up the original lssacfo2dat if it exists:
\PCCSRV\pccnt\common\lssacfo2_backup.dat
- Delete the original .dat file.
- Execute following command to generate a new certificate with private key:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Private\certificate\makecert.exe" "C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common\lssacfo2.dat" -pe -n CN=ofcsslagent -a sha1 -sky exchange -sr LocalMachine -ss OfficeScanSSL -is "OfficeScan NT" -len 2048
- Execute following command to generate the new .dat:
"C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\CertificateManager\CertificateManager.exe" -eclnsslcert "C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common\lssacfo2.dat"