The OfficeScan Server NTSG certificate used for server-agent communication in OfficeScan and Apex One is created with a default lifespan of three (3) years. This certificate is also used to create the ofcsslagent certificate used by the agents for this purpose.
If the OfficeScan Server NTSG certificate is expired or corrupted, a new one must be generated.
An expired or corrupt certificate will prevent agent-server communication resulting in out-of-date agents, log and quarantined file upload failure, and agent configurations not being updated.
The OfficeScan Server NTSG certificate is located in the Local Machine certificate store in OfficeScan NT on the OfficeScan/Apex One Server.
The ofcsslagent certificate will exist on any endpoint with OfficeScan XG SP1 or Apex One Security Agent installed, and will be in the Local Machine store in “OfficeScan SSL Agent”.
Paths in this article assume installation to the default location. If installed elsewhere, paths should be modified to match your environment.
To renew the NSTG certificate:
- Open Command Prompt as Administrator.
- Type:
cd C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\CertificateManager
- Command:
CertificateManager.exe -c [Backup_Password]
This generates a new Trend Micro certificate and replaces the existing certificate.
When you installed OfficeScan, you generated a certificate (valid 3 years) and entered a backup password. This password is the one that needs to be used. For example:
CertificateManager.exe -c 123456
To back up the new NTSG certificate:
- Open Command Prompt as Administrator.
- Type:
cd C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\CertificateManager
- Command:
CertificateManager.exe -b [Password] [Certificate Path]
For example:
CertificateManager.exe -b 123456 C:\Backup
After these steps are finished, you will see that the new OfficeScan Server NTSG is stored in the same location. The old one will be stored in OfficeScan NT Expired.
To update ofcsslagent:
- Use TMtouch tool to touch lssacfo2.dat file and trigger ofchotfix.exe by copying lssacfo2.dat from C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common folder to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\Touch.
- Open Command Prompt as Administrator and navigate to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\Touch.
- Execute:
"tmtouch.exe lssacfo2.dat"
The date modified timestamp should be modified to the current time/date.
- Copy lssacfo2.dat back to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common.
- Open Task Manager and monitor for ofchotfix.exe.
- Verify that ofchotfix.exe has been triggered.
- Wait for ofchotfix.exe to finish and close.
If ofchotfix.exe was NOT triggered automatically:
- In the Command Prompt, navigate to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service.
- Run:
ofchotfix.exe 2 -1
- Run:
ofchotfix 6 -1
- Reboot the OfficeScan server and verify that the NTSG certificate has been renewed.
The endpoints will start updating the ofcsslagent certificates.
If lssacfo2.dat does not exist or an error such as the following is seen, the lssacfo2.dat file may need to be regenerated.
07-29-19 17:22:52,640 [13448] ERROR debug_log <> - [.\ths_TmHttpServerController.cpp:400][TM::HttpServer::CHttpController::SetHTTPSCertificate]HttpSetServiceConfiguration failed! , Ret = 1312
In apricot.log, the error code 1312 is returned when the certificate was missing the private key or can't find the certificate in the certificate store.
To regenerate the ofcsslagent certificate:
- Back up the original lssacfo2dat if it exists:
\PCCSRV\pccnt\common\lssacfo2_backup.dat
- Delete the original .dat file.
- Execute following command to generate a new certificate with private key:
C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private\certificate\makecert.exe" "C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common\lssacfo2.dat" -pe -n CN=ofcsslagent -a sha1 -sky exchange -sr LocalMachine -ss OfficeScanSSL -is "OfficeScan NT" -len 2048
- Execute following command to generate the new .dat:
"C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\CertificateManager\CertificateManager.exe" -eclnsslcert "C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common\lssacfo2.dat"