Unified Agent or Web Security Service (WSS) Agent Certificate showing expired Entrust certificate

book

Article ID: 184825

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Unified Agent or Web Security Service (WSS) Agent shows expired Entrust certificate causing UA or WSS Agent to go into tamper mode.

From the diagnostic log on a workstation that is having an issue:

Error:  Server's certificate failed validation at depth: 2, CN = Entrust.net Certification Authority (2048), error = certificate has expired

 

Cause

On systems that have the issue described in the error message above, either the old certificate is present, or two Entrust.net certificates are present.  If two certificates are present, generally it is the expired Entrust.net root CA certificate (December 24, 2019) and the valid Entrust.net root CA certificate that expires on July 24, 2029.

On the affected machines it appears the expired certificate is being used.  The old root CA certificate is left on the operating systems for compatibility reasons. 

(Verified by Microsoft and Apple) 

"The older certificate is kept for some time for compatibility with leaf certificates off of that root CA" - Apple Support


Unified Agent and WSS Agent both use OpenSSL.  OpenSSL is being used to validate the certificate.  For workstations that have both certificates installed, it is confirmed that certificate ordering can affect success or failure.  On OSes where the expired certificate is first (such as macOS Mojave), then the failure occurs.  On OSes where the valid certificate is first (such as on macOS Catalina), then there isn't a validation failure.

Environment

The following components are involved:

  • Operating System
    • macOS Mojave (other versions of macOS appear to be fine)
    • Windows
  • Client version
    • All versions of Unified Agent
    • WSSA version 5.1.1
  • Certificate:  Entrust.net Certificate Authority (2048) root CA that expired on December 24, 2019

 

Resolution

The following solutions are available:

Windows OS

  • Remove expired Entrust.net root CA certificate from the certificate store.  Make sure the current/valid Entrust.net root CA is installed, otherwise that will need to be installed.  Unified Agent / WSS Agent v5.1.1 will then use the valid Entrust.net root CA certificate. See TECH242793 for details on how to get the Entrust.net root CA, or download the file directly from here.

NOTE:  Certificate removal can be done via GPO.

 

macOS Mojave

The following options are available:

  • Remove the old/invalid certificate.  Because of Apple System Integrity Protection built into Mojave, removing certificates is an involved process.  Apple article HT201314 describes how to reboot macOS into recovery mode.  Instructions on how to delete the certificate are located at the bottom of Symantec KB article TECH242793.  This option preserves the version of macOS and UA or WSSA running on the workstation.
  • Upgrade to WSS Agent version 6.1.1.  The version of OpenSSL in WSSA v6.1.1 is more robust in it's handling of multiple valid/invalid root certificates and therefore does not have an issue.
  • Upgrade macOS from Mojave to CatalinaNOTE:  UA has not been validated to run on Catalina, only WSSA has been validated to run on Catalina.

 

WORKAROUND:

If an immediate solution is needed and the above solutions require additional time to implement, disabling Tamper Detection will allow UA/WSSA to operate in a failed open state.  To disable tamper detection, please login to the WSS portal and go to Service mode > Mobility > WSS Agent > Disable tamper protection > make sure there is a check mark so tamper detecion is disabled.  UA/WSSA may need to be reconnected or rebooted in order for this setting to be enabled.