Authentication of Server-initiated Communications

OfficeScan uses public-key cryptography to authenticate communications that the OfficeScan server initiates on agents. With public-key cryptography, the server keeps a private key and deploys a public key to all agents. The agents use the public key to verify that incoming communications are server-initiated and valid. The agents respond if the verification is successful.


OfficeScan does not authenticate communications that agents initiate on the server.

The public and private keys are associated with a Trend Micro certificate. During installation of the OfficeScan server, Setup stores the certificate on the host’s certificate store. Use the Authentication Certificate Manager tool to manage Trend Micro certificates and keys.

When deciding on whether to use a single authentication key across all OfficeScan servers, take note of the following:

  • Implementing a single certificate key is a common practice for standard levels of security. This approach balances the security level of your organization and reduces the overhead associated with maintaining multiple keys.

  • Implementing multiple certificate keys across OfficeScan servers provides a maximum level of security. This approach increases the maintenance required when certificate keys expire and need to be redistributed across the servers.


Before reinstalling the OfficeScan server, ensure that you back up the existing certificate. After the new installation completes, import the backed up certificate to allow communication authentication between the OfficeScan server and OfficeScan agents to continue uninterrupted. If you create a new certificate during server installation, OfficeScan agents cannot authenticate server communication because they are still using the old certificate (which no longer exists).

For details on backing up, restoring, exporting, and importing certificates, see Using Authentication Certificate Manager.