Views:

Scope

This applies only to Trend Micro Deep Security Agents with version 20.0.0.1348 or later with Workload Security.


Key Objectives and Enhancements

  • Extends SSL/TLS handshake certificates to 3072-bit key length

    Increases the certificate key length from 2048-bit to 3072-bit, providing a significant security enhancement.

  • Introduces a higher level of security for communications between the Deep Security Agent and Heartbeat Service nodes

    The longer key length makes it much more difficult for attackers to break the encryption, thereby offering improved protection for sensitive data transmitted between the Deep Security Agent and Heartbeat nodes. Additionally, this upgrade aligns with current best practices and recommendations from security experts, ensuring that we stay ahead of evolving security standards and threats.

  • Align with current and evolving certification requirements
  • Rollout plans

    The automatic certificate renewals for all regions will be completed by November 30th, 2025.


Frequently Asked Questions

  • What is changing?

    The public key size, in the agent-side Heartbeat certificates, is being increased to RSA 3072-bit. No other agent files or policies are modified.

  • Which agents are affected?

    Only Deep Security Agents version 20.0.0.1348 or later.

  • Do I need to restart or redeploy agents?

    No. Certificates will be rotated during the next regular heartbeat.

  • Will there be downtime or performance impact?

    Certificate rotation is part of regular life cycle of agent-manager communication, and this will follow regular update life cycle. As such, there is no impact to regular agent-manager communication.

  • Do I need to change anything on the Manager/console?

    No, update will happen automatically during the regular heartbeat.

  • Could network devices or SSL inspection cause issues with RSA 3072?

    RSA 3072-bit encryption is industry standard. As such, it is expected that current and up-to-date network infrastructure should support this change seamlessly.

  • How do I know if my agents been updated?

    When an agent has been updated, a system event will be created (System Event ID 702 - “Credentials Generated”) for each agent on the Manager/console.

  • How can I verify the update on an agent?

    You can use the following steps, as an elevated user with appropriate permissions, to confirm an agent has updated the certificates to use RSA 3072-bit encryption.

    • Linux/MacOS

      openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt -text -noout | grep -A1 "Public Key"

      openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent_dsm.crt -text -noout | grep -A1 "Public Key"

      openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent.crt -text -noout | grep -A1 "Public Key”

    • Windows (PowerShell)

      certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt" | findstr /I /C:"Public Key Length"

      certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt" | findstr /I /C:"Public Key Length"

      certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt" | findstr /I /C:"Public Key Length"

Keywords: updating Heartbeat self-signed certificates SSL/TLS encryption, how to update Heartbeat self-signed certificates, updating trend cloud one self-signed heartbeat certificate SSL/TLS, updating trend vision one self-signed heartbeat certificate SSL/TLS