Sensor Install Error: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
search cancel

Sensor Install Error: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.

book

Article ID: 292125

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

  • Sensor fails to install on endpoint
  • Unattended install being performed outside C:\Temp
  • Correct traffic/communications are allowed through any Proxy/Firewall in place
  • No SSL inspection being performed by Proy/Firewall
  • CRL checking disabled at install (CURL_CRL_CHECK=0)
  • Installer/MSI log shows errors registering 
    CA:InstallPreCheck: Register failed. Please make sure your network is connected and provide a correct register code.
CA:InstallPreCheck: Error 0x80004005: Failed to register.
CDeviceRegistration::Register: We couldn't connect to the cloud due to an untrusted connection. The certificate chain was issued by an authority that is not trusted.
  • confer-temp.log file shows certificate error 
    http: schannel: next InitializeSecurityContext failed: SEC_E_UNTRUSTED_ROOT (0x80090325) - The certificate chain was issued by an authority that is not trusted.
  • Error code popup during install 
    We couldn't connect to the cloud due to an untrusted connection. The certificate chain was issued by an authority that is not trusted.

Environment

  • Carbon Black Cloud Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Cause

  • ​​​​​"​Turn off Automatic Root Certificates Update" GPO is set to Enabled
  • DigiCert signing certificates removed from local machine certificate store

Resolution

  1. Press ⊞Win + R
  2. Type certlm.msc and hit Enter
  3. Go to 'Trusted Root Certification Authorities' > 'Certificates'
  4. Click into the 'Issued To' column and begin typing 'DigiCert'
  5. There should be two DigiCert certificates:
    • DigiCert TLS RSA SHA256 2020 CA1
    • DigiCert Global Root CA)
  6. If the DigiCerts certs are not in local machine cert store, re-add prior to attempted install 
    Main link: https://knowledge.digicert.com/general-information/digicert-trusted-root-authority-certificates

Certs to install locally:

DigiCert TLS RSA SHA256 2020 CA1
Serial #: 06d8d904d5584346f68a2fa754227ec4

DigiCert Global Root CA
Serial #: 083be056904246b1a1756ac95991c74a
  7. If the problem remains, open a technical support case
Powered by Wolken Software