Host Package Uploads Fail or Policy Installers Generation Disabled due to Certificate Validation Error
search cancel

Host Package Uploads Fail or Policy Installers Generation Disabled due to Certificate Validation Error

book

Article ID: 286605

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Host Package Installer uploads in the console are failing
  • Package Generation gets disabled immediately after uploading a new Host Package Installer
  • Air-gapped or otherwise limited Internet access prevents successful certificate chain validation
  • ServerLog.bt9 entries similar to:
    (6516 PackageGeneration) SignatureQuery::ValidateCertificate: File[C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi] did not pass verification Error[800B010A] Chain[0] Element[-1]
    (6516 PackageGeneration) SignatureQuery::ValidateCertificateOnFile: File[C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi] did not match certificate Error[800B010A]
    (6516 PackageGeneration) TestParityHostFile certificate validation failed: 0x800B010A
    (6516 PackageGeneration) Deleted invalid host package file C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi
    ...
    (6516 PackageGeneration) TestParityHostFile cannot open C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi, error: 2
    (6516 PackageGeneration) HostGroupStorage::GenerateWindowsPackages: Host files not correctly signed, turning off package generation
    

Environment

  • App Control Server: 8.7.8+

Cause

The application server is unable to validate the necessary certificates because the relevant Root and Intermediate certificates are missing from Trusted Root Certification Authority in the local machine Cert Store

Resolution

  1. Download the attached zip of Host Package Certificates, and extract the contents
  2. Log into the application server hosting App Control with a Local Administrator account
  3. For each certificate:
    1. Right click > Install Certificate
    2. In the Import Wizard > Local Machine > Place all certificates in the following store:
      Note: Choosing "Automatic" does not always place the certificates in the correct store.
      • Trusted Root Certification Authorities:
        • App Control SHA1 Root CA
        • DigiCert Assured ID Root CA
        • DigiCert Trusted Root G4
      • Intermediate Certification Authorities:
        • DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA
      • Third-Party Root Certification Authorities:
        • Sectigo RSA Code Signing CA 2
        • USERTrust RSA Certification Authority
    3. Next > Finish.
  4. After the import completes for all certificates, re-attempt to install the Rules or Agent package.
  5. Verify Host Package Generation remains enabled.

Additional Information

  • If the certificates used for the Host Package Installers change in the future the process may need to be repeated.
  • These are the steps to follow to manually install the Server SHA-1 Certificate Update for Server version 8.9.4

Attachments

HPI-Certificates-Bundle-070924.zip get_app