Host Package Uploads Fail or Policy Installers Generation Disabled due to Certificate Validation Error
search cancel

Host Package Uploads Fail or Policy Installers Generation Disabled due to Certificate Validation Error

book

Article ID: 286605

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

  • Host Package Installer uploads in the console are failing
  • Package Generation gets disabled immediately after uploading a new Host Package Installer
  • Air-gapped or otherwise limited Internet access prevents successful certificate chain validation
  • ServerLog.bt9 entries similar to: 
    (6516 PackageGeneration) SignatureQuery::ValidateCertificate: File[C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi] did not pass verification Error[800B010A] Chain[0] Element[-1]
(6516 PackageGeneration) SignatureQuery::ValidateCertificateOnFile: File[C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi] did not match certificate Error[800B010A]
(6516 PackageGeneration) TestParityHostFile certificate validation failed: 0x800B010A
(6516 PackageGeneration) Deleted invalid host package file C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi
...
(6516 PackageGeneration) TestParityHostFile cannot open C:\Program Files (x86)\Bit9\Parity Server\hostpkg\ParityHostAgent.msi, error: 2
(6516 PackageGeneration) HostGroupStorage::GenerateWindowsPackages: Host files not correctly signed, turning off package generation

Environment

  • App Control Server: 8.7.8+

Cause

The application server is unable to validate the necessary certificates because the relevant Root and Intermediate certificates are missing from Trusted Root Certification Authority in the local machine Cert Store

Resolution

  1. Download the attached zip of Host Package Certificates, and extract the contents
  2. Log into the application server hosting App Control with a Local Administrator account
  3. For each certificate:
    • Right click > Install Certificate
    • In the Import Wizard > Local Machine > Automatically select the cert store > Finish
  4. After the import completes for all certificates: 
  5. Verify Host Package Generation remains enabled

Additional Information

If the certificates used for the Host Package Installers change in the future the process may need to be repeated.

Attachments

HPI-Certificates-Bundle-070924.zip get_app
Powered by Wolken Software