Update the Trend Micro public keys

Views:

Review when to update the public keys for using Server & Workload Protection with Linux Secure Boot.

Certain scenarios required you to update your enrolled public keys for signed Trend Micro kernel modules.

Important

If a public key for Secure Boot becomes invalid and you do not replace it, then an Engine Offline message might appear in the console and the computer will not be protected.

For Server & Workload Protection component version 20.x.x to use Secure Boot, to ensure minimum disruption, enroll both the DS2022.der and DS20_V2.der keys.

When the agent is deployed on SuSE 15 with kernels 5.3.18-24.34-default or later, DS20_v2.der is required because verification of kernel module signatures has changed.

Linux kernel module signature verification has changed

When you update the Linux kernel, the method that it uses to verify kernel module signatures might change. This may require you to replace the enrolled public keys. For example, SuSE 15 added extended key usage (EKU) code signing verification in kernel version 5.3.18-24.34-default, which required a new public key version, DS20_v2.der.
You upgrade the agent to a newer major release

In every major release of the agent, Trend Micro refreshes the public keys for Secure Boot kernel module signatures. New kernel module signatures cannot be validated with an old public key. As a result, when you upgrade the agent, you must also enroll the new public key.

The public key has expired

If Trend Micro extends an end-of-life date, then Trend Micro will create a new public key to match the new end-of-life date. You will need to replace the old public key with the new one and then upgrade the agent.

Component version	Key	Expiry date	Comment
20.x.x	DS2022.der	24-Nov-2031	A new replacement key is expected to be released one year before the expiry date.
	DS20.der	26-Nov-2024	DS20.der was replaced by DS2022.der. DS2022.der must have been enrolled prior to the expiry date of DS20.der.
	DS20_v2.der	24-Oct-2026 Required for SuSE 15 after 5.3.18-24.34-default	Required for SUSE 15 kernels after 5.3.18-24.34-default. DS20_V2.der will be replaced by DS2022.der upon its expiry. Ensure that DS2022.der is enrolled prior to the expiry date of DS20_V2.der.