Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Policy deployment issue due to Web Host Certificate mismatch

    • Updated:
    • 15 Dec 2020
    • Product/Version:
    • Apex One 2019
    • OfficeScan XG
    • Platform:

The Troubleshooting Assistant (TA) for Server tool detected "system error. Error ID 5" on agents deployed with the current policy.

This article discusses a policy deployment issue which is caused by Web Host Certificate mismatch.


019 12/10 16:06:10 [20d4 : 1a04] (00) (E) [][tmlisten.exe]VerifyServerCert - Failed to verify the SSL certificate - [olh_winhttpclient.cpp(857)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (D) [][tmlisten.exe]VerifyServerCert - << 0 - [olh_winhttpclient.cpp(864)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (E) [][tmlisten.exe]winHttpStatusCallback - Close connection due to certificate verification failure - [olh_winhttpclient.cpp(78)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (D) [][tmlisten.exe]SendInHTTPSWithWinHttp - Failed at sending a request, verb: [POST] err : [12017] - [olh_winhttpclient.cpp(470)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (D) [][tmlisten.exe]SendInHTTPSWithWinHttp - <<< - [olh_winhttpclient.cpp(770)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (D) [][tmlisten.exe]TmPost - Post:Verb: Result status=-27 - [olh_loadhttp.cpp(1207)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (D) [-S-][tmlisten.exe][tmSendLogToHttpServerLwithCallBack] After Post or Get nError = -27 - [cnttmsoc_tmsock.cpp(4196)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (I) [-S-][tmlisten.exe][tmSendLogToHttpServerLwithCallBack] LoadHttp Get func failed,error code = -27 - [cnttmsoc_tmsock.cpp(4306)]
2019 12/10 16:06:10 [20d4 : 1a04] (00) (I) [-S-][tmlisten.exe][tmSendLogToHttpServerLwithCallBack] DeleteFile done, err = 0 - [cnttmsoc_tmsock.cpp(4337)]

The agent tried to verify certificate with server but failed.

Check Pccnt\Common\OfcIPCer.dat on the server-side:

  1. Copy OfcIPCer.dat to another path, rename it as OfcIPCer.cer.
  2. Double-click it then switch to the Details tab and check the serial number.
  3. In IIS manager, check SSL binding certificate, see if the serial number is the same with OfcIPCer.cer.

    If it is different, export the public key and rename it as OfcIPCer.dat, put it in Pccnt\Common folder.


    Starting from Apex One 2019, new modules in Apex One Security Agent will authenticate whether the communication peer is a valid Apex One server. Rename the above public key (.cer) to "OfcIPCer.dat" and then copy it to {Apex One Server Installation}\PCCSRV\Pccnt\Common\ and overwrite the existing file. This managed key will be deployed to the managed Apex One Security Agents.

    For example:

    Copy server_public_key.cer to {Apex One Server Installation}\PCCSRV\Pccnt\CommonOfcIPCer.dat

  4. Open a command window and change the working directory to the following:

    C:\Program Files(x86)\TrendMicro\ApexOne\PCCSRV\Admin\Utility\CertificateManager

  5. Execute the following command:

    CertificateManager.exe -f "C:\ProgramFiles(x86)\TrendMicro\ApexOne\PCCSRV\Pccnt\Common\OfcIPCer.dat"

  6. Check OfcIPCer.dat and OfcIPCer.dat.sig is up to the time.

    C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common\OfcIPCer.dat
    C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Pccnt\Common\OfcIPCer.dat.sig

Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.