An intermediate certificate is installed under "Trusted Root Certification Authorities"

Technical Articles ID: KB87705
Last Modified: 5/29/2020

Environment

McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 8
McAfee VirusScan Enterprise (VSE) 8.8.0 Patch 8

Summary

Third-party software might exhibit failures because of the presence of McAfee-provided digital certificates in an improper location of the certificate store. Third-party software affected by this behavior can vary by version.

This article cites the affected versions when possible in the "System Change" section.

Problem 1

If you install or upgrade any of the products referenced in this article, it results in intermediate certificates being installed in the wrong certificate store. This action could cause problems with third-party software that rejects non-self-signed certificates in the Trusted Root Certification Authorities certificate store.

Problem 2

Internet Information Services (IIS) 8 might reject client certificate requests with the following errors:

HTTP 403.16 - Client certificate is untrusted or invalid.

HTTP 403.7 - Client certificate required.

For details, see https://support.microsoft.com/en-us/kb/2802568.

Problem 3

Skype for Business (Lync Server 2013 Front-End service RTCSRV) cannot start in Windows Server 2012.

For details, see http://support.microsoft.com/kb/2795828.

System Change

An installation or upgrade for any of the following products alongside an affected third-party software application:

Host IPS 8.0 Patch 8
VSE 8.8.0 Patch 8

Affected third-party software includes:

IIS 8
Skype for Business (Lync Server 2013)
Exchange 2010 (DAG replication)

Cause

COMODO RSA Code Signing CA and Verisign Class 3 Code Signing 2010 CA are intermediate certificates. An installation or upgrade of McAfee products installed two intermediate certificates under the Trusted Root Certification Authorities certificate store. The presence of the two intermediate certificates in the Trusted Root Certification Authorities certificate store causes issues with some third-party software.

Solution

This issue is resolved with the following releases, which are available on the Product Downloads site. The products listed below include SysCore 15.6, which does not incur the problem:

Host IPS 8.0 Patch 9 and later
VSE 8.8.0 Patch 9 and later

Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Workaround

Other options for moving the improperly placed certificates from the Trusted Root Certification Authorities certificate store to the Intermediate Certification Authorities:

Locally (manually)
Use an Active Directory group policy (for large-scale deployment)

Related Information

For details about moving certificates, see https://technet.microsoft.com/en-us/library/cc771103(v=ws.11).aspx.

To confirm that any issue is caused by the COMODO RSA Code Signing CA and Verisign Class 3 Code Signing 2010 CA certificates being installed in the wrong store:

In an administrative, UAC-elevated cmd.exe prompt, run the following command:

mmc.exe

In the Console1 - [Console Root] window menu, select File, Add/Remove Snap-in.
Select Certificates and click Add.
In the Certificates snap-in window, select Computer account and click Next.
Select Local computer: (the computer this console is running on) and click Finish.
In the Add/Remove Snap-ins window, click OK.
In the Console1 - [Console Root] window, expand Console Root, Certificates (Local Computer).
Select Trusted Root Certification Authorities.
Select the subfolder Certificates.

In the right panel, you see the following two certificates:

COMODO RSA Code Signing CA
VeriSign Class 3 Code Signing 2010 CA

The certificates must ideally, be present only in the Intermediate Certification Authorities store.

Affected Products

Host Intrusion Prevention 8.0 (EOL)
Install/Uninstall
Known Issue/Product Defect
Upgrade/Migrate
VirusScan Enterprise 8.8 (EOL)

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional

Knowledge Center

An intermediate certificate is installed under "Trusted Root Certification Authorities"

Environment

Summary

Problem 1

Problem 2

Problem 3

System Change

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

An intermediate certificate is installed under "Trusted Root Certification Authorities"

Environment

Summary

Problem 1

Problem 2

Problem 3

System Change

Cause

Solution

Workaround

Related Information

Affected Products

Languages:

Choose your region

Title

Title