Loading...

Knowledge Center

An intermediate certificate is installed under "Trusted Root Certification Authorities"
Technical Articles ID:   KB87705
Last Modified:  4/14/2017
Rated:

Environment

McAfee Agent (MA) 5.0.4.x
McAfee Endpoint Security (ENS) 10.2.0, 10.1.x
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 8
McAfee VirusScan Enterprise (VSE) 8.8.0 Patch 8

Summary

Third-party software might exhibit failures because of the presence of McAfee-provided digital certificates in an improper location of the certificate store. Third-party software affected by this behavior can vary by version.

This article will cite affected versions whenever possible (see the System Change section).

To resolve this issue, refer to the Solution option in this article.

Problem

Installing or upgrading any of the products referenced in this article results in intermediate certificates being installed in the wrong certificate store. This could potentially cause problems with third-party software that rejects non-self-signed certificates in the Trusted Root Certification Authorities certificate store.

Problem

Internet Information Services (IIS) 8 may reject client certificate requests with the following errors:

HTTP 403.16 - Client certificate is untrusted or invalid.

or

HTTP 403.7 - Client certificate required.

For details, see https://support.microsoft.com/en-us/kb/2802568.

Problem

Skype for Business (Lync Server 2013 Front-End service RTCSRV) cannot start in Windows Server 2012.

For details, see http://support.microsoft.com/kb/2795828.

System Change

An installation or upgrade for any of the following products alongside an affected third-party software application:
  • ENS 10.2.0, 10.1.x
  • Host IPS 8.0 Patch 8
  • MA 5.0.4.x
  • VSE 8.8.0 Patch 8
Affected third-party software includes:
  • IIS 8
  • Skype for Business (Lync Server 2013)
  • Exchange 2010 (DAG replication)

Cause

COMODO RSA Code Signing CA and VeriSign Class 3 Code Signing 2010 CA are intermediate certificates. An installation or upgrade of McAfee products installed two intermediate certificates under the Trusted Root Certification Authorities certificate store. The presence of the two intermediate certificates in the Trusted Root Certification Authorities certificate store causes issues with some third-party software.

Solution

This issue is resolved with the following releases which are all available on the Product Download site. The products listed below include Syscore 15.6, which will not incur the problem.

The product releases that include Syscore 15.6 are:
  • ENS 10.2.1 (and 10.2.0 Hotfix 1164434). For the latest release, see KB82761.
  • Host IPS 8.0 Patch 9. For the latest release, see KB70778.
  • VSE 8.8.0 Patch 9. For the latest release, see KB51111.
{GENPA.EN_US}

Workaround

Other options for moving the improperly placed certificates from the Trusted Root Certification Authorities certificate store to the Intermediate Certification Authorities:
  • Locally (manually)
  • Use an Active Directory group policy (for large-scale deployment)

Related Information

For details on moving certificates, see https://technet.microsoft.com/en-us/library/cc771103(v=ws.11).aspx.

To confirm any issue is caused by the COMODO RSA Code Signing CA and VeriSign Class 3 Code Signing 2010 CA certificates being installed in the wrong store:
  1. In an administrative, UAC-elevated cmd.exe prompt, run the following command:

    mmc.exe

  2. In the Console1 - [Console Root] window menu, select FileAdd/Remove Snap-in.
  3. Select Certificates and click Add.
  4. In the Certificates snap-in window, select Computer account and click Next.
  5. Select Local computer: (the computer this console is running on) and click Finish.
  6. In the Add/Remove Snap-ins window, click OK.
  7. In the Console1 - [Console Root] window, expand Console RootCertificates (Local Computer).
  8. Select Trusted Root Certification Authorities.
  9. Select the subfolder Certificates.

    In the right panel you see the following two certificates:
     
    COMODO RSA Code Signing CA
    VeriSign Class 3 Code Signing 2010 CA

    The certificates should, ideally, be present only in the Intermediate Certification Authorities store.

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.