Loading...

Knowledge Center


An intermediate certificate is installed under "Trusted Root Certification Authorities"
Technical Articles ID:   KB87705
Last Modified:  3/9/2017
Rated:


Environment

McAfee Agent (MA) 5.0.4.x
McAfee Endpoint Security (ENS) 10.2.x, 10.1.x
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 8
McAfee VirusScan Enterprise (VSE) 8.8.0 Patch 8

Summary

Third-party software might exhibit failures because of the presence of McAfee-provided digital certificates in an improper location of the certificate store. Third-party software affected by this behavior can vary by version.

This article will cite affected versions whenever possible (see the System Change section).

To resolve this issue refer to the Workaround options in this article.

Problem

Installing or upgrading any of the products referenced in this article results in intermediate certificates being installed in the wrong certificate store. This could potentially cause problems with third-party software that rejects non-self-signed certificates in the Trusted Root Certification Authorities certificate store.

Problem

Internet Information Services (IIS) 8 may reject client certificate requests with the following errors:

HTTP 403.16 - Client certificate is untrusted or invalid.

or

HTTP 403.7 - Client certificate required.

For details, see https://support.microsoft.com/en-us/kb/2802568.

Problem

Skype for Business (Lync Server 2013 Front-End service RTCSRV) cannot start in Windows Server 2012.

For details, see http://support.microsoft.com/kb/2795828.

System Change

An installation or upgrade for any of the following products alongside an affected third-party software application:
  • ENS 10.2.x, 10.1.x
  • Host IPS 8.0 Patch 8
  • MA 5.0.4.x
  • VSE 8.8.0 Patch 8
Affected third-party software includes:
  • IIS 8
  • Skype for Business (Lync Server 2013)
  • Exchange 2010 (DAG replication)

Cause

COMODO RSA Code Signing CA and VeriSign Class 3 Code Signing 2010 CA are intermediate certificates. An installation or upgrade of McAfee products installed two intermediate certificates under the Trusted Root Certification Authorities certificate store. The presence of the two intermediate certificates in the Trusted Root Certification Authorities certificate store causes issues with some third-party software.

Solution

Use the provided applet (see Workaround 1) to resolve the issue.

Future products that include Syscore 15.6 will not have this issue.  

Endpoint Security 10.2.0 Hotfix 1164434 correctly places the certificate in the certificate store.

{GENPA.EN_US}

Workaround

Move the improperly placed certificates from the Trusted Root Certification Authorities certificate store to the Intermediate Certification Authorities certificate store using the provided applet (the Release Notes attached to this article include instructions to obtain the applet).

NOTE: The applet is officially supported.

Download the Release Notes--Setup--SYSCORE--Certificate--KB87705.txt file attached to this article. The TXT file contains guidance for obtaining the applet.

The applet includes a stand-alone EXE that you can run with Administrator privileges to correct affected systems. You can also use third-party deployment solutions to distribute it to clients. The applet includes a package that can be distributed through an ePolicy Orchestrator deployment task.

IMPORTANT: If you have taken steps to remediate an affected system, and then install one of the listed McAfee product versions, the remediation steps must be repeated.
 

Workaround

Other options for moving the improperly placed certificates from the Trusted Root Certification Authorities certificate store to the Intermediate Certification Authorities:
  • Locally (manually)
  • Use an Active Directory group policy (for large-scale deployment)

Attachment

Release Notes--Setup--SYSCORE--Certificate--KB87705.txt
6K • < 1 minute @ 56k, < 1 minute @ broadband


Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.