Knowledge Center

An intermediate certificate is installed under "Trusted Root Certification Authorities"
Technical Articles ID:   KB87705
Last Modified:  7/19/2018


McAfee Agent (MA) 5.0.4.x
McAfee Endpoint Security (ENS) 10.2.0, 10.1.x
McAfee Host Intrusion Prevention (Host IPS) 8.0 Patch 8
McAfee VirusScan Enterprise (VSE) 8.8.0 Patch 8


Third-party software might exhibit failures because of the presence of McAfee-provided digital certificates in an improper location of the certificate store. Third-party software affected by this behavior can vary by version.

This article will cite affected versions whenever possible (see the System Change section).

To resolve this issue, refer to the Solution option in this article.


Installing or upgrading any of the products referenced in this article results in intermediate certificates being installed in the wrong certificate store. This could potentially cause problems with third-party software that rejects non-self-signed certificates in the Trusted Root Certification Authorities certificate store.


Internet Information Services (IIS) 8 may reject client certificate requests with the following errors:

HTTP 403.16 - Client certificate is untrusted or invalid.


HTTP 403.7 - Client certificate required.

For details, see https://support.microsoft.com/en-us/kb/2802568.


Skype for Business (Lync Server 2013 Front-End service RTCSRV) cannot start in Windows Server 2012.

For details, see http://support.microsoft.com/kb/2795828.

System Change

An installation or upgrade for any of the following products alongside an affected third-party software application:
  • ENS 10.2.0, 10.1.x
  • Host IPS 8.0 Patch 8
  • MA 5.0.4.x
  • VSE 8.8.0 Patch 8
Affected third-party software includes:
  • IIS 8
  • Skype for Business (Lync Server 2013)
  • Exchange 2010 (DAG replication)


COMODO RSA Code Signing CA and VeriSign Class 3 Code Signing 2010 CA are intermediate certificates. An installation or upgrade of McAfee products installed two intermediate certificates under the Trusted Root Certification Authorities certificate store. The presence of the two intermediate certificates in the Trusted Root Certification Authorities certificate store causes issues with some third-party software.


This issue is resolved with the following releases which are all available on the Product Download site. The products listed below include Syscore 15.6, which will not incur the problem.

The product releases that include Syscore 15.6 are:
  • ENS 10.2.1 (and 10.2.0 Hotfix 1164434). For the latest release, see KB82761.
  • Host IPS 8.0 Patch 9. For the latest release, see KB70778.
  • VSE 8.8.0 Patch 9. For the latest release, see KB51111.
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.


Other options for moving the improperly placed certificates from the Trusted Root Certification Authorities certificate store to the Intermediate Certification Authorities:
  • Locally (manually)
  • Use an Active Directory group policy (for large-scale deployment)

Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.