When you try to export the Apex One certificate using the CertificatManager.exe tool, you receive the following error message:
An internal error occurred while configuring the server authentication settings. Send the debug log to Support for further information.
The Admin can find the corresponding log recorded in the System Event Logs of the Apex One server as well:
User "LogOnUserName" unsuccessfully attempted to export the server authentication certificate at Date Time.
During the Apex One Patch 3 Build 5358 installation, there is a message stating that Trend Micro recommends to manually back up the Apex One Authentication certificate before proceeding with the installation.
If the customer forgot to manually backup Apex One Server authentication certificate before applying Patch 3, they will encounter an error when using "CertificateManager.exe -b [Password] [Certificate path]" command.
One of the security enhancements introduced in Apex One Patch 3 is that the server certificate will be marked as non-exportable for security concern. During installation of Apex One Patch 3, there will be one-time change of the certificate to "non-exportable". Thus, the backup command "CertificateManager.exe -b [Password] [Certificate path]" may fail with the error message shown above.
Starting from Apex One On-Premise Patch 3, two new commands have been introduced for the CertificateManager.exe tool:
Import certificates with non-exportable enabled: -ine
Restore certificates with the exportable enabled: -re
You may follow the procedures below to resolve the issue in case you forgot to back up the Apex One server authentication certificate before applying the Patch 3:
- Go to Apex One server MMC > Certificates > OfficeScan NT Expired > Certificates > Export the OfficeScan Server NTSG certificate.
- Open a command prompt and run the following command to import the Apex One server authentication certificate to the certificate store with non-exportable enabled:
C:\Program Files (x86)\Trend Micro\Apex One\PCCSRV\Admin\Utility\CertificateManager\CertificateManager.exe -ine [Password] [Certificate path]
- The certificate under "OfficeScan NT Expired" is the one automatically backed up when Patch 3 is applied.
- The certificate under "Officescan NT" is the one currently in-use.
- If a user exports the certificate under "OfficeScan NT Expired", it's recommended to:
- Export Private Key > Select "Yes, export the private key".
- Export File Format > Select "Personal Information Exchange - PKCS # 12 (.PFX)" and "Include all certificates in the certification path if possible" (default exporting format).
For more information, you can check the Authentication Certificate Manager documentation.