Starting with OfficeScan 11.0, the server-agent communication was enhanced to ensure that communication to and from the server is secured and trusted. This happens through authentication keys. The server signs the data using a private key, while the agent verifies it via public key.
When the server and agent keys mismatch, agents cannot download the new settings from the server. The OfficeScan Server dashboard shows the following message:
One or more OfficeScan Agents do not have a valid OfficeScan server certificate.
To resolve the issue:
- Identify the agents with mismatched certificates.
- On the OfficeScan server, open a command prompt and change the directory to <Server installation folder>\PCCSRV\Admin\Utility\CertificateManager.
When using the Authentication Certificate Manager Tool, note the following requirements:
- The user must have administrator privileges.
- The tool can only manage certificates located on the local endpoint.
- Run command "CertificateManager.exe -l [Output CSV file full path]".
For example:
CertificateManager.exe -l D:\Test\MismatchedAgentList.csv
All the agents with a mismatched certificate will be listed in a CSV file.
- On the OfficeScan server, open a command prompt and change the directory to <Server installation folder>\PCCSRV\Admin\Utility\CertificateManager.
- Recover the agent certificate by doing one of the following:
- Option 1: Copy the IpXfer ([Server Path]\PCCSRV\Admin\Utility\IpXfer) and agent certificate ([Server Path]\PCCSRV\Pccnt\Common\OfcNTCer.dat) to the agent with a mismatched certificate.
Execute the following command:
- OfficeScan 11.0: IpXfer.exe/IpXfer_x64.exe -s <Target server name or IP> -p <server port> -c <agent port> -e OfcNTCer.dat –p <Unload Password>
For example:
IpXfer_x64.exe -s osce.contoso.local -p 8080 -c 12345 –e OfcNTCer.dat –p Password1
- OfficeScan XG: IpXfer.exe/IpXfer_x64.exe -s <Target server name or IP> -p <server HTTP port> -sp <server HTTPS port> -c <agent port> -e OfcNTCer.dat -pwd <agent unload password>
For example:
IpXfer_x64.exe -s oscexg.contoso.local -p 8080 –sp 4343 -c 12345 –e OfcNTCer.dat -pwd P@ssw0rd
Ipxfer parameters vary among versions. Go to the following article for more information: Manually transferring OfficeScan clients/agents using Client Mover I/Ipxfer tool. - OfficeScan 11.0: IpXfer.exe/IpXfer_x64.exe -s <Target server name or IP> -p <server port> -c <agent port> -e OfcNTCer.dat –p <Unload Password>
- Option 2: Reinstall the agent.
Administrator can use single or multiple authentication keys across multiple OfficeScan servers in the same organization. View Authentication of Server-initiated Communications for more information.
- Option 1: Copy the IpXfer ([Server Path]\PCCSRV\Admin\Utility\IpXfer) and agent certificate ([Server Path]\PCCSRV\Pccnt\Common\OfcNTCer.dat) to the agent with a mismatched certificate.
If the issue persists, please contact Trend Micro Technical Support for assistance.
- Contact your authorized Trend Micro Technical Support contact.
- Provide your Customer Licensing Portal (CLP) Account and Apex One as a Service provision URL to Technical Support as well as issue details.
- Obtain agent certificate from Technical Support.
- Deploy the certificate to agents that reported this issue.
Please refer to Manually transferring OfficeScan clients/agents using Client Mover I/Ipxfer tool for details.
As an alternative option, you can also reinstall the agent to fix this issue.