Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Renewing/Regenerating the OfficeScan Server NTSG and ofcsslagent certificates for OfficeScan and Apex One

    • Updated:
    • 27 Nov 2019
    • Product/Version:
    • Apex One 2019
    • OfficeScan XG
    • Platform:
    • Windows XP and later
Summary

The OfficeScan Server NTSG certificate used for server-agent communication in OfficeScan and Apex One is created with a default lifespan of three (3) years. This certificate is also used to create the ofcsslagent certificate used by the agents for this purpose.

If the OfficeScan Server NTSG certificate is expired or corrupted, a new one must be generated.

An expired or corrupt certificate will prevent agent-server communication resulting in out-of-date agents, log and quarantined file upload failure, and agent configurations not being updated.

Details
Public

The OfficeScan Server NTSG certificate is located in the Local Machine certificate store in OfficeScan NT on the OfficeScan/Apex One Server.

Console1

The ofcsslagent certificate will exist on any endpoint with OfficeScan XG SP1 or Apex One Security Agent installed, and will be in the Local Machine store in “OfficeScan SSL Agent”.

Console1

Paths in this article assume installation to the default location. If installed elsewhere, paths should be modified to match your environment.

To renew the NSTG certificate:

  1. Open Command Prompt as Administrator.
  2. Type:

    cd C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\CertificateManager

  3. Command:

    CertificateManager.exe -c [Backup_Password]

    This generates a new Trend Micro certificate and replaces the existing certificate.

     

    When you installed OfficeScan, you generated a certificate (valid 3 years) and entered a backup password. This password is the one that needs to be used. For example:

    CertificateManager.exe -c 123456

To back up the new NTSG certificate:

  1. Open Command Prompt as Administrator.
  2. Type:

    cd C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\CertificateManager

  3. Command:

    CertificateManager.exe -b [Password] [Certificate Path]

    For example:

    CertificateManager.exe -b 123456 C:\Backup

After these steps are finished, you will see that the new OfficeScan Server NTSG is stored in the same location. The old one will be stored in OfficeScan NT Expired.

To update ofcsslagent:

  1. Use TMtouch tool to touch lssacfo2.dat file and trigger ofchotfix.exe by copying lssacfo2.dat from C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common folder to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\Touch.
  2. Open Command Prompt as Administrator and navigate to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\Touch.
  3. Execute:

    "tmtouch.exe lssacfo2.dat"

    The date modified timestamp should be modified to the current time/date.

  4. Copy lssacfo2.dat back to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common.
  5. Open Task Manager and monitor for ofchotfix.exe.
  6. Verify that ofchotfix.exe has been triggered.
  7. Wait for ofchotfix.exe to finish and close.

    If ofchotfix.exe was NOT triggered automatically:

    1. In the Command Prompt, navigate to C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Web\Service.
    2. Run:

      ofchotfix.exe 2 -1

    3. Run:

      ofchotfix 6 -1

  8. Reboot the OfficeScan server and verify that the NTSG certificate has been renewed.

The endpoints will start updating the ofcsslagent certificates.

If lssacfo2.dat does not exist or an error such as the following is seen, the lssacfo2.dat file may need to be regenerated.

07-29-19 17:22:52,640 [13448] ERROR debug_log <> - [.\ths_TmHttpServerController.cpp:400][TM::HttpServer::CHttpController::SetHTTPSCertificate]HttpSetServiceConfiguration failed! , Ret = 1312

In apricot.log, the error code 1312 is returned when the certificate was missing the private key or can't find the certificate in the certificate store.

To regenerate the ofcsslagent certificate:

  1. Back up the original lssacfo2dat if it exists:

    \PCCSRV\pccnt\common\lssacfo2_backup.dat

  2. Delete the original .dat file.
  3. Execute following command to generate a new certificate with private key:

    C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Private\certificate\makecert.exe" "C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common\lssacfo2.dat" -pe -n CN=ofcsslagent -a sha1 -sky exchange -sr LocalMachine -ss OfficeScanSSL -is "OfficeScan NT" -len 2048

  4. Execute following command to generate the new .dat:

    "C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Admin\Utility\CertificateManager\CertificateManager.exe" -eclnsslcert "C:\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV\Pccnt\Common\lssacfo2.dat"

Premium
Internal
Rating:
Category:
Configure; Register
Solution Id:
000155981
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.