Summary
Starting with OfficeScan 11.0, the server-agent communication was enhanced to ensure that communication to and from the server is secured and trusted. This happens through authentication keys. The server signs the data using a private key, while the agent verifies it via public key.
When the server and agent keys mismatch, agents cannot download the new settings from the server. The OfficeScan Server dashboard shows the following message:
One or more OfficeScan Agents do not have a valid OfficeScan server certificate.
Details
To resolve the issue:
- Identify the agents with mismatched certificates.
- Go to [Server Path]\PCCSRV\Admin\Utility\CertificateManager.
- Execute "CertificateManager.exe -l [Output CSV file full path]". All the agents with mismatched certificate will be listed in a CSV file.
- Recover the agent certificate by doing one of the following:
- Option 1: Copy the IpXfer ([Server Path]\PCCSRV\Admin\Utility\IpXfer) and agent certificate ([Server Path]\PCCSRV\Pccnt\Common\OfcNTCer.dat) to the agent with mismatched certificate.
Execute the following command:
- OfficeScan 11.0: IpXfer.exe/IpXfer_x64.exe –e OfcNTCer.dat
- OfficeScan XG: IpXfer.exe/IpXfer_x64.exe –e OfcNTCer.dat -pwd [unload password]
Ipxfer parameters vary among versions. Go to the following article for more information: Manually transferring OfficeScan clients/agents using Client Mover I/Ipxfer tool. - Option 2: Reinstall the agent. Administrator can use single or multiple authentication keys across multiple OfficeScan servers in the same organization. View Authentication of Server-initiated Communications for more information.
- Option 1: Copy the IpXfer ([Server Path]\PCCSRV\Admin\Utility\IpXfer) and agent certificate ([Server Path]\PCCSRV\Pccnt\Common\OfcNTCer.dat) to the agent with mismatched certificate.
If the issue persists, please contact Trend Micro Technical Support for assistance.
