During agent activation, the agent can authenticate the identity of the Workload Security console by pinning the console's certificate to the agent. It does this by validating the connecting console's certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the console authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be Workload Security.
To protect your agents, you must configure each agent so it can recognize its authorized manager before the agent tries to activate:

Procedure

  1. Go to Sectigo Intermediate Certificates - RSA.
  2. Click Download under Root Certificates > SHA-2 Root : USERTrust RSA Certification Authority.
  3. On the agent computer, copy the downloaded certificate to the server and rename it as ds_agent_dsm_public_ca.crt
  4. Move the ds_agent_dsm_public_ca.crt file to one of these locations:
    1. On Windows: %ProgramData%\Trend Micro\Deep Security Agent\dsa_core
    2. On Linux or Unix: /var/opt/ds_agent/dsa_core

Troubleshooting

If you are activating the agent version 20.0.1412 or later, the following error message appears upon activation, which indicates that you have not pinned Workload Security's certificate to the agent:
"[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate"
Pinning a trusted certificate is optional, so you can ignore this error if it does not apply to you. However, if you want to use a trusted certificate, you need to protect your agent before activating it.