Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Apex One to use a certificate signed by corporate Certificate Authority

    • Updated:
    • 6 Oct 2020
    • Product/Version:
    • Apex One 2019
    • Apex One All.All
    • Platform:
    • N/A N/A

In some environments, customers use their own Certificate Authority (CA). This article provides the steps if a customer wishes to use their own certificate.


What’s the use of Web Host Certificate?

Web Host Certificate is used for Apex One web console for encrypted connection and identity. Replacing it with trusted CA can prevent browsers like Chrome, to pop up/display security alerts. To replace the Web Host Certificate, the new certificate has to use a host name of Apex One server as the CN name.

Steps for replacing Web Host Certificate

  1. Generate the 3rd-party certificate with name: CN={HostName} (e.g. and export the public (.cer) and private key (.pfx).
  2. Import the private key into [Certificate Store]\Personal\Certificates\.

    When importing this key, make sure the option "Mark this key as exportable..." is checked.

    3rd Party Certificate

  3. Import the public key into [Certificate Store]\Trusted People\Certificates\.

    3rd Party Certificate

  4. Starting from Apex One 2019, new modules in Apex One Security Agent will authenticate whether the communication peer is a valid Apex One server. Please rename the above public key (.cer) to "OfcIPCer.dat" and then copy it to {Apex One Server Installation}\PCCSRV\Pccnt\Common\ and overwrite the existing file. This managed key will be deployed to the managed Apex One Security Agents. For example:

    Copy <server_public_key>.cer to {Apex One Server Installation}\PCCSRV\Pccnt\Common\OfcIPCer.dat

  5. Bind 3rd-party signed certificate to IIS:
    1. Press the Windows button + R, and then type "inetmgr.exe". This will open the IIS Manager
    2. Expand site node and highlight "Apex One virtual site" (OfficeScan in this example).

      Expand site node

    3. In the Actions pane, click Bindings... to open the Site Bindings window.
    4. In the Site Bindings window, select Type="https" and click Edit....

      Site bindings

      The Edit Site Binding window will appear.

    5. From the SSL Certificate section, click the Select... button and choose the certificate generated from the previous steps.
    6. Click OK to close the window.
  6. Additionally, if you find that there are 403.16 error codes in the IIS log, this means that the client certificate is untrusted or invalid. Please examine your system and apply the suggested resolutions accordingly:
    1. Execute the PowerShell command below with administrator permission to find any inappropriate root certificates in Trusted Root Certification Authorities store.

      Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}

      The above command will examine all the root certificates to see if their certification authority are all in the Trusted Root Certification Authorities store, and list any non–self-signed certificates whose "Issued To" and "Issued By" values are not an exact match.

      [Solution]: Please refer to the Resolution section of "HTTP Error 403.16 - Forbidden" when you try to access a website that's hosted on IIS 7.0 to move any non–self-signed certificates out of the Trusted Root Certification Authorities certificate store and into the Intermediate Certification Authorities certificate store.

    2. If the 403.16 error code continues to appear, you can turn on the Exclusive CA Trust mode which described in What's New in TLS/SSL (Schannel SSP).

      [Solution]: Open the registry editor (regedit.exe) and add the following registry values:

      Name: ClientAuthTrustMode
      Type: REG_DWORD
      Value: 2

      Here are the possible values of ClientAuthTrustMode for reference:

      ValueTrust ModeDescription
      0Machine Trust (default)Requires that the client certificate is issued by a certificate in the Trusted Issuers list.
      1Exclusive Root TrustRequires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list.
      2Exclusive CA TrustRequires that a client certificate chains to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store.
  7. Follow the instructions in this KB article to avoid the certificate from automatically being reverted.
Solution Id:
Did this article help you?

Thank you for your feedback!

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.