Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Web host certificate issues detected by the Troubleshooting Assistant for Server tool

    • Updated:
    • 14 May 2020
    • Product/Version:
    • Apex One 2019
    • OfficeScan XG
    • Platform:
    • N/A
Summary

go to Manual Update

This article demonstrates how to fix the web host certificate issues detected by the Troubleshooting Assistant for Server Tool.

Purpose of Web Host Certificate

Web Host Certificate is used by the Apex One web console for encrypted connection and identity.

Possible symptoms

  • Policy deployment issue: "system error. Error ID 5"
  • Policy deployment with status pending: managed server deploying(403.16 error in ofcdebug.log or IIS log)
Details
Public

This issue may occur in one of the following checkpoints:

The issue occurs at “web Host certificate(pb_WebServer)” checkpoint.

Possible cause

  • Web Host certificate does not exist or the name is inconsistent with the Master_DomainName in ofcscan.ini or the certificate exists in the certificate store "Untrusted Certificates".

Recommended practices

  1. Web Host certificate should be located in the certificate store Personal or Web hosting.

    certificate store

  2. The name of this certificate can be IP address or hostname or FQDN. It should be the same as 'Master_DomainName' in ofcscan.ini for Apex One server on-premise before version 1141.

    If not, do either of the following:

    • Re-sign a new certificate with name same as “Master_DomainName” in ofcscan.ini and bundle to IIS. Refer to the KB article: Renewing the IIS SSL certificate of OfficeScan (OSCE).
    • Change the "Server name or IP address" in “Agent Connection Settings” to same as the name of the web Host certificate.

      Change the Server name or IP address

       
      Make sure the ip/hostname should be the same as the common name of web Host certificate)
       
  3. If the certificate exists in the certificate store Untrusted Certificates (with same thumbprint as the web host certificate in store Personal or Web hosting), export and backup the certificate then delete the certificate.

    delete the certificate

Possible reason

  • The web Host certificate is expired.

Recommended practices

 
Manually restart master service to make sure the newly generated certificate imported to the “Trusted People” store’s folder.
 

Possible cause

The public certificate of Web Host certificate does not exist or the thumbprint is not the same as the private certificate's.

To resolve the issue:

  1. Export the Web host certificate without the private key.

    Export without private key

  2. Import the public key into [Certificate Store]\Trusted People\Certificates\

    Import the public key

  3. Starting from Apex One 2019, new modules in Apex One Security Agent will authenticate whether the communication peer is a valid Apex One server.

    Rename the public key (.cer) to "OfcIPCer.dat" and then copy it to {Apex One Server Installation}\PCCSRV\Pccnt\Common\ and overwrite the existing file. This managed key will be deployed to the managed Apex One Security Agents.

    For example:
    Copy <server_public_key>.cer to {Apex One Server Installation}\PCCSRV\Pccnt\Common\OfcIPCer.dat

Additional information

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
000252038
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.