This article lists the certificates used in OfficeScan XG/Apex One.
For the product servers and client machines that do not have these certificates, the following issues may occur:
- Clients remain in "Updating" state and fail to get their updates from the server
- Server cannot verify the agents' digital signatures during Inter-Process Communication (IPC)
These issues occur when OfficeScan/Apex One is installed on a Windows machine without direct Internet connection for downloading certificate updates. These certificates are necessary on the endpoints, as well as the server itself.
To resolve this issue:
Download the root and intermediate certificates from the following links:
Certificates are free. If you encounter any issues, contact Trend Micro Technical Support.
- DigiCert Assured ID Root CA (SHA256 Fingerprint: 3E:90:99:B5:01:5E:8F:48:6C:00:BC:EA:9D:11:1E:E7:21:FA:BA:35:5A:89:BC:F1:DF:69:56:1E:3D:C6:32:5C)
- DigiCert High Assurance EV Root CA (SHA256 Fingerprint: 74:31:E5:F4:C3:C1:CE:46:90:77:4F:0B:61:E0:54:40:88:3B:A9:A0:1E:D0:0B:A6:AB:D7:80:6E:D3:B1:18:CF)
- DigiCert Trusted Root G4 (SHA256 Fingerprint: 55:2F:7B:DC:F1:A7:AF:9E:6C:E6:72:01:7F:4F:12:AB:F7:72:40:C7:8E:76:1A:C2:03:D1:D9:D2:0A:C8:99:88)
- VeriSign Class 3 Public Primary Certification Authority - G5 (SHA-1 Thumbprint: 4E B6 D5 78 49 9B 1C CF 5F 58 1E AD 56 BE 3D 9B 67 44 A5 E5)
- VeriSign Universal Root Certification Authority (SHA-1 Thumbprint: 36 79 CA 35 66 87 72 30 4D 30 A5 FB 87 3B 0F A7 7B B7 0D 54)
- DigiCert EV Code Signing CA (SHA2) (SHA256 Fingerprint: C7:46:0B:0E:DD:A1:B4:4C:8E:21:64:B2:34:EB:EC:C3:96:2A:6A:37:A9:36:B7:4A:6E:7D:46:68:29:38:F0:84)
- DigiCert EV Code Signing CA (SHA256 Fingerprint: 37:63:77:FD:1F:AF:4B:8A:5B:14:72:64:7A:70:B9:41:03:9A:62:D7:4C:FE:99:44:7E:48:61:6F:8D:63:A9:78)
- DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 (SHA256 Fingerprint: 46:01:1E:de:1C:14:7E:B2:BC:73:1A:53:9B:7C:04:7B:7E:E9:3E:48:B9:D3:C3:BA:71:0C:E1:32:BB:DF:AC:6B)
- DigiCert High Assurance Code Signing CA-1 (SHA256 Fingerprint: 00:7D:2C:8B:15:78:62:32:BA:C0:EA:A3:1F:60:AA:E0:6D:C5:72:92:1B:AD:0D:46:C7:71:07:D8:C2:DC:A4:B3)
- USERTrust RSA Certification Authority (SHA256 Fingerprint: 2b 8f 1b 57 33 0d bb a2 d0 7a 6c 51 f7 0e e9 0d da b9 ad 8e)
- Symantec Class 3 SHA256 Code Signing CA
Note the BEGIN CERTIFICATE and END CERTIFICATE lines. You can paste those and everything in between to Notepad and save it as Symantec_Class3_SHA256_code.crt.
- Install each certificate on the affected product server and problem endpoints.
- Open the certificate and click Install Certificate...
- Click Next when the Certificate Import Wizard appears.
- For Windows 2012, select Local Machine and click Next.
- Select "Place all certificates in the following store" and click Browse.
- Check Show physical stores > Trusted Root Certification Authorities > Local Computer and click OK.
- For 2016 and above, just choose "Trusted Root Certification Authorities" and click OK.
- For Domain users, refer to this external article.
Click Finish. "The import was successful message" should appear.
The certificate-related issues should be resolved.
If manually adding the certificates and performing a Windows Update does not work, check for a Group Policy Object (GPO) that turns off Automatic Root Certificates Update:
- Go to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > "Turn off Automatic Root Certificates Update".
- Make sure that the value is set to "Not configured" (default value).