Publisher or Certificate details missing in the console due to a Certificate loop
search cancel

Publisher or Certificate details missing in the console due to a Certificate loop

book

Article ID: 285868

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Missing Publishers that the agents report events for in the web console
  • Publishers don't have any certificates associated with them or are missing recent ones

Environment

  • App Control Server: All Supported Versions

Cause

  • All certificates must be validated by the App Control server before Publisher or Certificate details are displayed in the console.
  • The App Control server queries Windows CryptoAPI (CAPI) for the certificate details, including all parent certificates used to build the chain.
  • Windows CAPI goes out to the internet and makes an OCSP call to a URL address embedded in the certificate itself to collect information.
  • Windows CAPI then sends back all the information about this certificate, including the publisher name and all the parent certificates making up the chain.
  • In very rare situations Windows CryptoAPI (CAPI) will report a parent certificate that points to its child certificate as its parent, resulting in a certificate validation loop.
  • When a loop occurs, the App Control server will stop validating certificates, and this could result in a backlog of unprocessed Publisher and Certificate information.

Resolution

  1. Open SQL Management Studio as the service account and run: 
      • use das; exec dbo.GetNextCertificateBatchToValidate
  2. Screenshot or save a copy of the returned results
  3. Wait 5 minutes
  4. Re-run the script again: 
      • use das; exec dbo.GetNextCertificateBatchToValidate
  5. If the list of cert_id's is the same, the App C server is likely in a certificate loop
  6. Please open a support case and provide the output of the 2 SQL executions
Powered by Wolken Software