Ignore Counter Chain CERT_TRUST_IS_PARTIAL_CHAIN Certificate Errors
search cancel

Ignore Counter Chain CERT_TRUST_IS_PARTIAL_CHAIN Certificate Errors


Article ID: 288539


Updated On:


Carbon Black App Control (formerly Cb Protection)


Steps to have App Control agent(s) ignore CERT_TRUST_IS_PARTIAL_CHAIN errors on the Counter Signature Chain, and rely solely on the Certificate Chain used by the Publisher for the Code Signing Chain.

Publisher[Microsoft (IneligibleForApproval: CounterChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_IS_OFFLINE_REVOCATION...



  • App Control Server: All Supported Versions
  • App Control Agent: All Supported Versions


Warning: This configuration triggers a CC check on all agents at the same time which may cause performance impact. Best practice would be to apply the config to one or several policies first and then add more policies over time.
  1. Login to the Console and navigate to: https://YourServerAddress/agent_config.php
  2. Choose: Show Filters > Add Filter > Value > contains: ignore_partial_chain_on_countersignatures
  3. Click the pencil icon on the resulting Agent Config and change the Value to: ignore_partial_chain_on_countersignatures=1
  4. Click Save
  5. Allow the agents some time to receive the updated CL Version and to run a CC check to approve the files that were previously signed by trusted publisher, but their approvals failed due to countersignature error

Additional Information

  • Additional information on this subject can be found here:
  • Although this setting is not recommend, it's been created to help facilitate Publisher Approvals in environments where the Counter Certificate Chain is incomplete and can not easily be fixed.
  • In order to maintain the highest security posture, Carbon Black strongly recommends pushing out the missing certificates in the chain.
  • This Agent Config was made available with the release of Server & Agent version 8.1.4.