Manually Approve Counter Chain Certificates
search cancel

Manually Approve Counter Chain Certificates

book

Article ID: 286532

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

This document provides steps for manually approving counter chain certificates with a CERT_TRUST_IS_PARTIAL_CHAIN or CERT_TRUST_IS_NOT_SIGNATURE_VALID Error. This can be used when a publisher is approved but has block events similar to:

Publisher[Microsoft (IneligibleForApproval: CounterChainIdx[1] CertId[123] ValidationError[...CERT_TRUST_IS_PARTIAL_CHAIN:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_IS_OFFLINE_REVOCATION...

Publisher[Microsoft Corporation (IneligibleForApproval: CounterChainIdx[1] CertId[499] 
ValidationError[01000048:CERT_TRUST_IS_NOT_SIGNATURE_VALID:CERT_TRUST_REVOCATION_STATUS_UNKNOWN:CERT_TRUST_IS_OFFLINE_REVOCATION])]

Environment

  • App Control Console:  All Supported Versions
  • Microsoft SQL Server: All Supported Versions

Cause

  • The App Control Agent requires validation of both the Code Signing (File Publisher) and the Counter Signature (Timestamping) certificates for successful Publisher Approval of a file
  • This validation process works by querying Windows Cryptographic API and there could be many reasons why Windows Crypto API would return errors

Resolution

Note: These steps bypass the certificate validation process. These steps are not a recommendation, but an option for situations where correcting the root cause is not desired or possible. 


Server 8.10.0+

  1. Click the File Hash in the Description of the Block Event.
  2. From the File Details page > File Properties > click the Certificate shown in Countersigner Certificate.
  3. Copy the Thumbprint shown (Example: 8d45082f8a6e5ab1b2526844050e874f26d91c0c)
  4. Click the Publisher name.
  5. Expand All Certificates For This Publisher
  6. Click Show Filters > Thumbprint > is: <paste the Thumbprint>
  7. Check the box > Action > Approve Certificate(s)


Server 8.9.6 and below:

  1. Log in to the application server hosting the App Control Console as the Carbon Black Service Account.
  2. Launch SQL Server Management Studio and using the SHA256 hash from the Block Event, execute the following query(replacing 'SHA256HERE' with the actual hash):
    use das; 
    select publisher_id, subject_name, serial_number, thumbprint, valid_from, valid_to from dbo.certificates (nolock) 
    where cert_id in (select timestamp_cert_id from dbo.antibodies with (nolock) where hash = 'SHA256HERE');
  3. This should return a single row containing the Publisher ID and information for the certificate that caused the block event
  4. Using the Publisher_Id update then navigate to the following URL:
    https://ServerAddress/publisher-details.php?publisher_id=XXXX
  5. On the Publisher Details expand All Certificates and search for the certificate using the information from Step 2
  6. Select the checkbox of the certificate > Action > Approve Certificates

Additional Information