Views:

Affected Regions

us-east-1
af-south-1
ap-southeast-3

Affected Products

Trend Micro Cloud One - Endpoint and Workload Security
Trend Micro Vision One Server & Workload Protection

Affected Agent Versions

All Deep Security Agent (DSA) versions in the affected regions.

Why This Upgrade Is Happening

The RSA key length used in agent-side Heartbeat certificates is being increased from 2048-bit to 3072-bit. The longer key length provides stronger encryption, making it significantly more difficult for attackers to compromise the communication between the Deep Security Agent and Heartbeat Service nodes. This change aligns with current industry best practices and evolving security certification requirements.

RSA 3072-bit is an industry standard. Modern network infrastructure, including SSL inspection devices, is expected to support this change without issue. Customers using legacy or non-standard SSL inspection infrastructure should verify compatibility.

Certificate Files Updated

The certificate files rotated depend on the agent version installed:

DSA versions below 20.0.0.1348: Only ds_agent.crt and ds_agent_dsm.crt are rotated. The ds_agent_dsm_ca.crt file does not exist for these versions and is not rotated.
DSA version 20.0.0.1348 and later: All three files are rotated — ds_agent.crt, ds_agent_dsm.crt, and ds_agent_dsm_ca.crt.

Certificate File Locations

Linux/macOS:

/var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt
/var/opt/ds_agent/dsa_core/ds_agent_dsm.crt
/var/opt/ds_agent/dsa_core/ds_agent.crt

Windows:

C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt
C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt
C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt

What to Expect — No Action Required

The certificate rotation is fully automatic. No manual intervention is required:

Certificates are rotated automatically at the agent's next regular heartbeat.
No agent restart or redeployment is needed.
No changes are required on the Manager or console.
There is no impact to regular agent-manager communication and no downtime or performance impact.
The rollout is targeted for completion by June 30, 2026 for all three regions.

Verifying the Certificate Upgrade

To confirm that the RSA 3072-bit certificates have been applied, run the following commands as an elevated user with appropriate permissions.

Linux/macOS

openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt -text -noout | grep -A1 "Public Key"
openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent_dsm.crt -text -noout | grep -A1 "Public Key"
openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent.crt -text -noout | grep -A1 "Public Key"

Windows (PowerShell / certutil)

certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt" | findstr /I /C:"Public Key Length"
certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt" | findstr /I /C:"Public Key Length"
certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt" | findstr /I /C:"Public Key Length"

NOTE: On agents below version 20.0.0.1348, ds_agent_dsm_ca.crt does not exist. Only ds_agent.crt and ds_agent_dsm.crt will reflect the 3072-bit key length.

Confirmation via System Event

When an agent's certificate has been successfully updated, System Event ID 702 — "Credentials Generated" will appear in the Manager/console for each updated agent.

KA-0021406 — Updating self-signed Heartbeat certificates SSL/TLS encryption for Trend Micro Cloud One – Endpoint and Workload Security and Vision One Server & Workload Protection
KA-0020700 — Updating Heartbeat SSL certificate from RSA 2048-bit to RSA 3072-bit SSL/TLS encryption for Trend Micro Cloud One – Endpoint and Workload Security and Vision One Server & Workload Protection

Questions or Concerns

For support assistance, contact TrendAI™ Technical Support.

Keywords: RSA 3072-bit Heartbeat certificate upgrade, self-signed certificate rotation Deep Security Agent, Heartbeat SSL TLS encryption update, Deep Security Agent certificate key length, us-east-1 af-south-1 ap-southeast-3 rollout, Cloud One Workload Security certificate rotation

Updating self-signed Heartbeat certificates SSL/TLS encryption to RSA 3072-bit in us-east-1, af-south-1, and ap-southeast-3 regions: TrendAI™ Cloud One - Endpoint and Workload Security and TrendAI Vision One™ Server & Workload Protection

Product / Version includes:

Cloud One - Endpoint and Workload Security All , TrendAI Vision One™ Server and Workload Protection (SWP) All , TrendAI Vision One™ Endpoint Security

Last updated: 2026/05/27

Solution ID: KA-0023508

Category:

Summary

As part of the continued global rollout of RSA 3072-bit encryption for self-signed Heartbeat certificates — previously announced in KA-0021406 and the public CA update in KA-0020700 — TrendAI™ is proceeding with the certificate upgrade for the us-east-1 region, as well as two newly introduced regions: af-south-1 and ap-southeast-3.

The us-east-1 was previously planned as part of the original rollout but was postponed to allow for improvements to the rollout workflows for its size and scale, to ensure a smoother customer experience. The newly introduced regions af-south-1 and ap-southeast-3 are included in this rollout as part of their infrastructure onboarding, ensuring they are aligned with the current security baseline from the outset.

Affected Regions

us-east-1
af-south-1
ap-southeast-3

Affected Products

Trend Micro Cloud One - Endpoint and Workload Security
Trend Micro Vision One Server & Workload Protection

Affected Agent Versions

All Deep Security Agent (DSA) versions in the affected regions.

Why This Upgrade Is Happening

Certificate Files Updated

The certificate files rotated depend on the agent version installed:

DSA versions below 20.0.0.1348: Only ds_agent.crt and ds_agent_dsm.crt are rotated. The ds_agent_dsm_ca.crt file does not exist for these versions and is not rotated.
DSA version 20.0.0.1348 and later: All three files are rotated — ds_agent.crt, ds_agent_dsm.crt, and ds_agent_dsm_ca.crt.

Certificate File Locations

Linux/macOS:

/var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt
/var/opt/ds_agent/dsa_core/ds_agent_dsm.crt
/var/opt/ds_agent/dsa_core/ds_agent.crt

Windows:

C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt
C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt
C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt

What to Expect — No Action Required

The certificate rotation is fully automatic. No manual intervention is required:

Certificates are rotated automatically at the agent's next regular heartbeat.
No agent restart or redeployment is needed.
No changes are required on the Manager or console.
There is no impact to regular agent-manager communication and no downtime or performance impact.
The rollout is targeted for completion by June 30, 2026 for all three regions.

Verifying the Certificate Upgrade

To confirm that the RSA 3072-bit certificates have been applied, run the following commands as an elevated user with appropriate permissions.

Linux/macOS

openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent_dsm_ca.crt -text -noout | grep -A1 "Public Key"
openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent_dsm.crt -text -noout | grep -A1 "Public Key"
openssl x509 -in /var/opt/ds_agent/dsa_core/ds_agent.crt -text -noout | grep -A1 "Public Key"

Windows (PowerShell / certutil)

certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm_ca.crt" | findstr /I /C:"Public Key Length"
certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent_dsm.crt" | findstr /I /C:"Public Key Length"
certutil -dump "C:\ProgramData\Trend Micro\Deep Security Agent\dsa_core\ds_agent.crt" | findstr /I /C:"Public Key Length"

NOTE: On agents below version 20.0.0.1348, ds_agent_dsm_ca.crt does not exist. Only ds_agent.crt and ds_agent_dsm.crt will reflect the 3072-bit key length.

Confirmation via System Event

When an agent's certificate has been successfully updated, System Event ID 702 — "Credentials Generated" will appear in the Manager/console for each updated agent.

KA-0021406 — Updating self-signed Heartbeat certificates SSL/TLS encryption for Trend Micro Cloud One – Endpoint and Workload Security and Vision One Server & Workload Protection
KA-0020700 — Updating Heartbeat SSL certificate from RSA 2048-bit to RSA 3072-bit SSL/TLS encryption for Trend Micro Cloud One – Endpoint and Workload Security and Vision One Server & Workload Protection

Questions or Concerns

For support assistance, contact TrendAI™ Technical Support.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Updating self-signed Heartbeat certificates SSL/TLS encryption to RSA 3072-bit in us-east-1, af-south-1, and ap-southeast-3 regions: TrendAI™ Cloud One - Endpoint and Workload Security and TrendAI Vision One™ Server & Workload Protection

Affected Regions

Affected Products

Affected Agent Versions

Why This Upgrade Is Happening

Certificate Files Updated

Certificate File Locations

What to Expect — No Action Required

Verifying the Certificate Upgrade

Confirmation via System Event

Related Articles

Questions or Concerns

Updating self-signed Heartbeat certificates SSL/TLS encryption to RSA 3072-bit in us-east-1, af-south-1, and ap-southeast-3 regions: TrendAI™ Cloud One - Endpoint and Workload Security and TrendAI Vision One™ Server & Workload Protection

Product / Version includes:

Summary

Affected Regions

Affected Products

Affected Agent Versions

Why This Upgrade Is Happening

Certificate Files Updated

Certificate File Locations

What to Expect — No Action Required

Verifying the Certificate Upgrade

Confirmation via System Event

Related Articles

Questions or Concerns