Topics on this page
Protect Deep Security Agent
During agent activation, Deep Security Agent can authenticate the identity of the Workload Security console by pinning the console's certificate to the agent. It does this by validating the connecting console's certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the console authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be Workload Security.
To protect your agents, you must configure each agent so that they can recognize their authorized manager before they try to activate.
- Run the following command:
curl https://web.entrust.com/root-certificates/entrust_g2_ca.cer?_ga=2.268214990.1906231865.1600974902-1043992707.1600974902 > ds_agent_dsm_public_ca.crt
- On the agent computer, place the
ds_agent_dsm_public_ca.crtfile in one of these locations:
%ProgramData%\Trend Micro\Deep Security Agent\dsa_core
[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate
Pinning a trusted certificate is optional, so you can ignore this error if it doesn't apply to you. However, if you'd like to use a trusted certificate, follow the steps in the section above before activating the Deep Security Agent.