An intermediate certificate is installed under "Trusted Root Certification Authorities"

Technical Articles ID: KB87705
Last Modified: 1/10/2020

Environment

McAfee Agent (MA) 5.0.4.x
McAfee Endpoint Security (ENS) 10.2.0, 10.1.x
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 8
McAfee VirusScan Enterprise (VSE) 8.8.0 Patch 8

Summary

Third-party software might exhibit failures because of the presence of McAfee-provided digital certificates in an improper location of the certificate store. Third-party software affected by this behavior can vary by version.

This article will cite affected versions whenever possible (see the System Change section).

To resolve this issue, refer to the Solution option in this article.

Problem

Installing or upgrading any of the products referenced in this article results in intermediate certificates being installed in the wrong certificate store. This could potentially cause problems with third-party software that rejects non-self-signed certificates in the Trusted Root Certification Authorities certificate store.

Problem

Internet Information Services (IIS) 8 may reject client certificate requests with the following errors:

HTTP 403.16 - Client certificate is untrusted or invalid.

HTTP 403.7 - Client certificate required.

For details, see https://support.microsoft.com/en-us/kb/2802568.

Problem

Skype for Business (Lync Server 2013 Front-End service RTCSRV) cannot start in Windows Server 2012.

For details, see http://support.microsoft.com/kb/2795828.

System Change

An installation or upgrade for any of the following products alongside an affected third-party software application:

ENS 10.2.0, 10.1.x
Host IPS 8.0 Patch 8
MA 5.0.4.x
VSE 8.8.0 Patch 8

Affected third-party software includes:

IIS 8
Skype for Business (Lync Server 2013)
Exchange 2010 (DAG replication)

Cause

COMODO RSA Code Signing CA and VeriSign Class 3 Code Signing 2010 CA are intermediate certificates. An installation or upgrade of McAfee products installed two intermediate certificates under the Trusted Root Certification Authorities certificate store. The presence of the two intermediate certificates in the Trusted Root Certification Authorities certificate store causes issues with some third-party software.

Solution

This issue is resolved with the following releases which are all available on the Product Download site. The products listed below include Syscore 15.6, which will not incur the problem.

The product releases that include Syscore 15.6 are:

ENS 10.2.1 (and 10.2.0 Hotfix 1164434). For the latest release, see KB82761.
Host IPS 8.0 Patch 9. For the latest release, see KB70778.
VSE 8.8.0 Patch 9. For the latest release, see KB51111.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Workaround

Other options for moving the improperly placed certificates from the Trusted Root Certification Authorities certificate store to the Intermediate Certification Authorities:

Locally (manually)
Use an Active Directory group policy (for large-scale deployment)

Related Information

For details on moving certificates, see https://technet.microsoft.com/en-us/library/cc771103(v=ws.11).aspx.

To confirm any issue is caused by the COMODO RSA Code Signing CA and VeriSign Class 3 Code Signing 2010 CA certificates being installed in the wrong store:

In an administrative, UAC-elevated cmd.exe prompt, run the following command:

mmc.exe

In the Console1 - [Console Root] window menu, select File, Add/Remove Snap-in.
Select Certificates and click Add.
In the Certificates snap-in window, select Computer account and click Next.
Select Local computer: (the computer this console is running on) and click Finish.
In the Add/Remove Snap-ins window, click OK.
In the Console1 - [Console Root] window, expand Console Root, Certificates (Local Computer).
Select Trusted Root Certification Authorities.
Select the subfolder Certificates.

In the right panel you see the following two certificates:

COMODO RSA Code Signing CA
VeriSign Class 3 Code Signing 2010 CA

The certificates should, ideally, be present only in the Intermediate Certification Authorities store.

Affected Products

Host Intrusion Prevention 8.0
Install/Uninstall
Known Issue/Product Defect
McAfee Agent 5.0.x (EOL)
Upgrade/Migrate
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

An intermediate certificate is installed under "Trusted Root Certification Authorities"

Environment

Summary

Problem

Problem

Problem

System Change

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Featured Solutions

Explore Our Portfolio

Security Outcomes

Industries

Products

Featured Solutions

Explore Our Portfolio

MVISION Products

Services & Training

Threat Research

Our Researchers

Threat Landscape Dashboard

Tools

Contact Us

Resources

Downloads

Product Help

Connect with Us

Explore

Our Company

Our Efforts

Other Resources

Careers

Partnerships

An intermediate certificate is installed under "Trusted Root Certification Authorities"

Environment

Summary

Problem

Problem

Problem

System Change

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title