Unified Agent or Web Security Service (WSS) Agent shows expired Entrust certificate causing UA or WSS Agent to go into tamper mode.
From the diagnostic log on a workstation that is having an issue:
Error: Server's certificate failed validation at depth: 2, CN = Entrust.net Certification Authority (2048), error = certificate has expired
The following components are involved:
On systems that have the issue described in the error message above, either the old certificate is present, or two Entrust.net certificates are present. If two certificates are present, generally it is the expired Entrust.net root CA certificate (December 24, 2019) and the valid Entrust.net root CA certificate that expires on July 24, 2029.
On the affected machines it appears the expired certificate is being used. The old root CA certificate is left on the operating systems for compatibility reasons.
(Verified by Microsoft and Apple)
"The older certificate is kept for some time for compatibility with leaf certificates off of that root CA" - Apple Support
Unified Agent and WSS Agent both use OpenSSL. OpenSSL is being used to validate the certificate. For workstations that have both certificates installed, it is confirmed that certificate ordering can affect success or failure. On OSes where the expired certificate is first (such as macOS Mojave), then the failure occurs. On OSes where the valid certificate is first (such as on macOS Catalina), then there isn't a validation failure.
The following solutions are available:
Windows OS
NOTE: Certificate removal can be done via GPO.
macOS Mojave
The following options are available:
WORKAROUND:
If an immediate solution is needed and the above solutions require additional time to implement, disabling Tamper Detection will allow UA/WSSA to operate in a failed open state. To disable tamper detection, please login to the WSS portal and go to Service mode > Mobility > WSS Agent > Disable tamper protection > make sure there is a check mark so tamper detecion is disabled. UA/WSSA may need to be reconnected or rebooted in order for this setting to be enabled.