Error "License deployment was unsuccessful" can be seen when deploying license to activate Apex One Vulnerability Protection in Apex Central.
Root Cause Analysis
Based on the Vulnerability Protection Service debug log (e.g. ivp_server0.log located at C:\Program Files (x86)Trend Micro\Apex One\iServiceSrv\iVP\), the following error log generated out which indicates the Vulnerability Protection server fails to validate the Apex One server website certificate.
SEVERE: Failed to start iVP server. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The root cause of this issue could be that the Apex One server is using a certificate with private key un-exportable, which conflicts with Vulnerability Protection server constraints.
There are two conditions in resolving this issue:
If the Apex One server website uses a 3rd party certificate (e,g, a certificate signed by corporate Certificate Authority), follow the article on Configuring Apex One to use a certificate signed by corporate Certificate Authority . In re-importing the certificate, make sure to select the option "Mark this key as exportable..."
If the Apex One server uses self-signed certificate, please follow these steps:
Renew the Apex One server web site certificate.
- On the OfficeScan / Apex One server, open a Command prompt and go to this location:
\Program Files (x86)\Trend Micro\OfficeScan\PCCSRV directory
\Program Files (x86)\Trend Micro\Apex One\PCCSRV directory - Run the following command to add a new certificate to the IIS certificate store:
svrsvcsetup –GenIISCert
- Confirm that the certificate is renewed.
- Open the IIS Manager console (inetmgr.exe).
- In the IIS Manager, expand the Sites folder and highlight the OfficeScan virtual site.
- In the Actions pane, click Bindings... to open the Site Bindings window.
- In the Site Bindings window, select type="https" and click Edit.... The Edit Site Binding window will appear.
- From the SSL Certificate section, click Select... and verify that the certificate expiration date has been extended, or select the certificate with the latest expiration date.
- Click OK to close the window.
Remove the old web site certificate.
- Open the Certificates MMC Snap-In,
- Navigate to Certificates (Local Computer) > 'Personal' Store
- Find the expired certificate. Right-click on the certificate then select Delete.