To resolve the ofcsslagent certificate negotiation failed issue:

1. On the server, locate lssacfo2.dat in:

   [C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common\]

2. • If the file lssacfo2.dat is mismatched on the agent and server (In this scenario, this certificate is correct on the server side):

     1. Unload the agent.
     2. Rename the lssacfo2.dat to lssacfo2.dat.bak
     3. Copy the lssacfo2.dat from the server to the agent.
     4. Reload the agent. When tmlisten.exe starts, it will load ofcsslagent certificate.
     5. Use the mmc.exe command to check the ofcsslagent on the agent. The thumbprint should be the same as on the server-side.

   • If the file lssacfo2.dat on the server was incorrect, please uses the command to re-create this file.

     1. Use the command to re-create the certificate file, refer to the KB: Renewing/Regenerating the OfficeScan Server NTSG and ofcsslagent certificates for OfficeScan and Apex One.
     2. After re-creating this certificate, restart the Server’s master service.
     3. Unload the agent.
     4. Rename the lssacfo2.dat to lssacfo2.dat.bak.
     5. Copy the lssacfo2.dat from the server to the agent.
     6. Reload the agent.
     7. Use the mmc.exe command to check the ofcsslagent on the agent. The thumbprint should be the same as on the server-side.