During agent activation, Deep Security Agent can authenticate the identity of its Deep Security Manager by pinning the manager's certificate to the agent. It does this by validating the connecting manager’s certificate path and ensuring it is signed by a trusted Certificate Authority (CA). If the certificate path is validated, the manager authentication passes and activates the agents. This prevents agents from activating with a malicious server that is pretending to be your Deep Security Manager.
To protect your agents, you must configure each agent so it can recognize its authorized manager before the agent tries to activate.
Import a Deep Security Manager certificate chain issued by a public CA
- Prepare a
chain.pem
file based on the following specifications:- The X509 certificate that corresponds to the private key.
- Any other intermediate X509 certificates to build a chain of trust to a certificate to a trusted certificate authority (CA) root. Each certificate must sign the certificate that directly precedes it, so the order is important. See
certificate_list
in the RFC.
- On Deep Security Manager, run the following command to import the certificate chain:
/opt/dsm/dsm_c -action agentHBPublicServerCertificate -set ${path_to_pem_file}
${path_to_pem_file}
must be an absolute path.
- Copy the public CA certificate and rename it to
ds_agent_dsm_public_ca.crt
.
- On the agent computer, place the
ds_agent_dsm_public_ca.crt
file in one of these locations:
- On Windows:
%ProgramData%\Trend Micro\Deep Security Agent\dsa_core
- On Linux or Unix:
/var/opt/ds_agent/dsa_core
If you have installed Deep Security Manager 20.0.262 and are activating Deep Security Agent 20.0.1540 or later, the following error message appears upon activation, which indicates you have not pinned the manager's certificate to the agent:
"[Warning/2] | SSLVerifyCallback() - verify error 20: unable to get local issuer certificate"
Pinning a trusted certificate is optional, so you can ignore this error if it does not apply to you. However, if you want to use a trusted certificate, follow the preceding steps before activating Deep Security Agent.
To confirm that the certificate chain has been imported, enter the following command:
/opt/dsm/dsm_c -action agentHBPublicServerCertificate -isSet
Delete the imported certificate chain
To stop using a Deep Security Manager certificate chain issued by a public CA, enter the following command:
/opt/dsm/dsm_c -action agentHBPublicServerCertificate -delete
By default, Deep Security Manager reverts to using a self-signed certificate.