"The digital signature on the installer has failed a verification check" error when installing vCenter Server 6.0
book
Article ID: 316531
calendar_today
Updated On:
Products
VMware vCenter ServerVMware vSphere ESXi
Issue/Introduction
Symptoms:
Installing vCenter Server 6.0 you see one of these errors:
The digital signature on file vmware-vcenter-server.msi can not be verified
The digital signature on the installer has failed a verification check. The install can not continue. This may indicate that the installer has been modified or corrupted and a new copy needs to be obtained.
Environment
VMware vSphere ESXi 6.0 VMware vCenter Server 6.0.x
Resolution
You already verified the following:
The Windows Server has Internet connection and can automatically update its Roots Certificates.
The "VeriSign" CA Root Certificate of the Digital Signature of the vCenter installer is already added to Trusted Root Certification Authorities on the Windows Server in which you are installing vCenter Server.
The "Starfield Technologies Inc" Root CA Certificate of the countersignature of the Digital Signature of the vCenter installer is already added to Trusted Root Certification Authorities on the Windows Server in which you are installing vCenter Server.
The Internet Explorer security setting “Check for publisher’s certificate Revocation” and “Check for signatures on downloaded programs.” are unchecked.
Its respective registry State "entry" is set to 23e00 (Unchecked) in order to modify it:
Start Registry Editor (Regedit.exe)
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing.
On the left side pane look for State key and double click to open it.
Change the Value data to 23e00 (Hexadecimal).
Quit Registry Editor.
Notes:
Ensure to try all of the above mentioned steps. If after verifying all those processes you are still getting the same issue, proceed as follows:
Disable the OS setting (which is required by DoD security) "Turn off Automatic Root Certificate Update". By disabling this your computer will contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.
This change should be done by the customer and under his own risk, nevertheless, if you would like to check if the setting is enabled you can go to Local Computer Policy/Administrative Templates/System/Internet Communication Management/Internet Communication Settings.