Using Authentication Certificate Manager

The Trend Micro Apex One server maintains expired certificates for Security Agents with expired public keys. For example, Security Agents that have not connected to the server for an extended period of time have expired public keys. When Security Agents reconnect, they associate the expired public key with the expired certificate, allowing them to recognize server-initiated communications. The server then deploys the latest public key to the Security Agents.

When configuring certificates, note the following:

For the certificate path, mapped drives and UNC paths are accepted.
Choose a strong password and then record it for future reference.

Important

When using the Authentication Certificate Manager tool, note the following requirements:

The user must have administrator privileges
The tool can only manage certificates located on the local endpoint

Procedure

On the Trend Micro Apex One server, open a command prompt and change the directory to <Server installation folder>\PCCSRV\Admin\Utility\CertificateManager.

Issue any of the following commands:

Command

Example

Description

CertificateManager.exe
                                             -c [Backup_Password]

CertificateManager.exe -c strongpassword

Generates a new Trend Micro certificate and replaces the existing certificate

Do this if the existing certificate has expired or if it has been leaked to unauthorized parties.

CertificateManager.exe
                                             -r [Password] [Certificate path]

Note

The certificate is in ZIP format.

CertificateManager.exe -r strongpassword D:\Test\TrendMicro.zip

Restores all Trend Micro certificates on the server and sets the certificate properties as exportable

Do this to restore the certificate on a reinstalled Trend Micro Apex One server.

CertificateManager.exe
                                             -re [Password] [Certificate path]

Note

The certificate is in ZIP format.

CertificateManager.exe -re strongpassword D:\Test\TrendMicro.zip

Restores all Trend Micro certificates on the server and sets the certificate properties as not exportable

Do this to restore the certificate on a reinstalled Trend Micro Apex One server.

CertificateManager.exe -e [Certificate
                                             path]

CertificateManager.exe -e <Agent_installation_folder>\OfcNTCer.dat

Exports the Security Agent public key associated with the currently used certificate

Do this if the public key used by endpoints becomes corrupted. Copy the .dat file to the endpoint’s root folder, overwriting the existing file.

Important

The file path of the certificate on the Security Agent must be:

<Agent_installation_folder>\OfcNTCer.dat

CertificateManager.exe
                                             -ine [Password] [Certificate path]

Note

The default file name of the certificate is:

OfcNTCer.pfx

CertificateManager.exe -ine strongpassword D:\Test\OfcNTCer.pfx

Imports a Trend Micro certificate to the certificate store

Important

The ine command imports a certificate and automatically sets the certificate properties to not exportable.

CertificateManager.exe -l [CSV
                                             Path]

CertificateManager.exe -l D:\Test\MismatchedAgentList.csv

Lists endpoints (in CSV format) currently using a mismatched certificate