search cancel

Certificate errors in Final GUI window during fresh install of CCS 12.0 or 12.5


Article ID: 174102


Updated On:


Control Compliance Suite Windows


When freshly (non-upgrade) installing Control Compliance Suite 12.0 or 12.5 the install seems to progress but at the end you see on the FINISH page an error about not being able to create certificates.

In the %programdata%\symantec.csm\logs\installs folder on the application server you will find a log called "Installlog_ManagementServices.csi.<date and PID stamp>.csv

In this file you will find several instances of messages like the following:


<ServerName>,Error,*LocalInstall,CSIExec,3052,,8,Instance_OnMessage,,0,0,"      Error occurred while generating self-signed certificate : System.ApplicationException: An error occurred while creating certificate.
   at Symantec.CSM.ManagementServices.LocalInstall.RootCertificate.CreateAndInstallRootCertificate(OpenSSLConfig selfCSR, OpenSSLConfig certificateConfiguration, String rootCertificatePassword, String adamServer)"
2019-03-18 14:33:55.666,2019-03-18 11:33:55.666,<ServerName>,Verbose,*LocalInstall,CSIExec,3052,,8,Instance_OnMessage,,0,0,   Leaving RootCertificate.CreateAndInstallRootCertificate




Freshly installing  CCS 12.0 or 12.5



Defect in installer caused by FIPS being enabled in the local security policy.  The installer cannot create the certificates and the installation fails.



This defect is being worked on by Symantec development and a fix should be available soon. Please check with Symantec support to find out if it is available prior to attempting the below.

Temporary Workaround:

      As this is a fresh installation attempt, it is suggested that the machine be reimaged as there will be multiple entries in the registry left by the aborted installation.  These cannot be easily cleaned up and there is no CCS product to remove in the Program Features of the OS because the installer did not write the uninstall information in the registry.

     Once a new image is available, temporarily disable FIPS in the application server's local security policy and then reboot.  The installation should proceed normally.  Once fully installed and configured (including the creation of any CCS Manager certificates for remote managers), then FIPS can be re-enabled.

NOTE:  If this setting is being enforced by a GPO, work with your AD administrators to exempt this setting being enforced on your application server until your configuration is complete.

WARNING:  FIPS must be disabled in the local security policy (which involves a reboot) prior to being able to create any new certificates.  The Certificate Management Console program, used to create new certificates, will not allow access while FIPS is enabled.