FailureId[990] Untrusted Server Certificate Issuer
search cancel

FailureId[990] Untrusted Server Certificate Issuer


Article ID: 286556


Updated On:


Carbon Black App Control (formerly Cb Protection)


  • Agent Disconnected
  • Trace.bt9 log (created in high debugging) shows similar to:
    2024-05-20T12:53:21-03:00 130744302 (0EA0) - HealthCheckContext::AddFailure: Health Check Failure Severity[High]: Untrusted server certificate. Issuer [<IssuerHere>], Serial Number [<SerialNumberHere>]
    2024-05-20T12:53:21-03:00 130744302 (0EA0) - Event String[2637] Subtype[447] Params[Untrusted server certificate. Issuer [<IssuerHere>], Serial Number [SerialNumberHere]][Options[00000003] TotalFailures[8]][990] File[] Process[ (4294967295)] User[] CLVer[156157] RuleId[0] CalculatedTime[133605651641395727] State[00000000]
  • Agent is failing Health Checks with:
    Carbon Black App Control Agent detected a problem: Untrusted server certificate Issuer [CERTIFICATE AUTHORITY], Serial Number [SERIAL] .... FailureId[990]


  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions


The current App Control Server Certificate is not Trusted in the Trusted Communication Certificates list, or the certificate is not trusted by the Operating System.


  1. Manually run a Health Check to verify the failure persists.
  2. Verify the Resource Download Location (RDL) specified is correct and traffic is not blocked by the firewall.
    1. If using an Alternate RDL, verify the updated TrustedCertList.pem file has been copied accordingly.
    2. Verify the certificate bound to Port 443 on the RDL is valid. If necessary, import and bind a valid certificate.
  3. Log in to the Console and navigate to System Configuration > Security.
    1. Note the Thumbprint listed in the Current Server Certificate Details.
    2. Scroll down and verify the same Thumbprint is Trusted in the Trusted Communication Certificates.
    3. If the Thumbprint is not listed, import the Public Key version of the certificate.
  4. If still experiencing issues:
    1. Manually import the certificate on the endpoint.
    2. Manually import the updated TrustedCertList.pem

Additional Information

  • SSL Inspection on port 41002 can prevent an otherwise Trusted Certificate from being validated against the App Control Server.
  • If the Trusted Communication Certificates list is not visible, refer to:
  • If the issue persists, please open a case with Support.