Authentication of Server-initiated Communications

Apex One uses public-key cryptography to authenticate communications that the Apex One server initiates on agents. With public-key cryptography, the server keeps a private key and deploys a public key to all agents. The agents use the public key to verify that incoming communications are server-initiated and valid. The agents respond if the verification is successful.


Apex One does not authenticate communications that agents initiate on the server.

The public and private keys are associated with a Trend Micro certificate. During installation of the Apex One server, Setup stores the certificate on the host’s certificate store. Use the Authentication Certificate Manager tool to manage Trend Micro certificates and keys.

When deciding on whether to use a single authentication key across all Apex One servers, take note of the following:

  • Implementing a single certificate key is a common practice for standard levels of security. This approach balances the security level of your organization and reduces the overhead associated with maintaining multiple keys.

  • Implementing multiple certificate keys across Apex One servers provides a maximum level of security. This approach increases the maintenance required when certificate keys expire and need to be redistributed across the servers.


Before reinstalling the Apex One server, ensure that you back up the existing certificate. After the new installation completes, import the backed up certificate to allow communication authentication between the Apex One server and Security Agents to continue uninterrupted. If you create a new certificate during server installation, Security Agents cannot authenticate server communication because they are still using the old certificate (which no longer exists).

For details on backing up, restoring, exporting, and importing certificates, see Using Authentication Certificate Manager.