Enterprise Vault FSA Agent fails to install with 'Signature verification failed' error, if you do not have up-to-date root certificates

Article:TECH179712  |  Created: 2012-01-24  |  Updated: 2014-12-19  |  Article URL http://www.symantec.com/docs/TECH179712
Article Type
Technical Solution


Issue



FSA Agent installation fails if you do not have up-to-date root certificates on the target computer. The FSA Agent installation log indicates that signature verification failed while checking the integrity of the driver package. 


Error



To verify that you have this problem, check for the error in the installation log as follows:

  • If you are installing the FSA Agent from an Enterprise Vault Administration Console, view the installation log from the FSA Agent remote installation wizard.
  • If you perform a manual installation of the FSA Agent, enable verbose logging on the target computer when you run the MSI file, as follows:

    msiexec /I "enterprise vault file system archiving.msi" /l *v /log output.log

 

If you have this problem, the installation log contains the following:
 

DIFXAPP: INFO: ENTER: DriverPackageInstallW 
DIFXAPP: INFO: evmf.inf: checking signature with catalog 'C:\Program Files\Enterprise Vault\drivers\evmf.cat' ...
DIFXAPP: ERROR: Signature verification failed while checking integrity of driver package 'evmf.inf' ('C:\Program Files\Enterprise Vault\drivers\evmf.inf'). (Error code 0x800B0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.)
DIFXAPP: INFO: Successfully removed {9BBEE86F-666A-4735-A1CF-2847669D3CEE} from reference list of driver store entry
DIFXAPP: INFO: RETURN: DriverPackageInstallW (0x800B0100)
DIFXAPP: ERROR encountered while installing driver package C:\Program Files\Enterprise Vault\drivers\evmf.inf
DIFXAPP: InstallDriverPackages failed with error 0x800B0100
Action ended 12:55:27: InstallFinalize. Return value 3.
Action 12:55:27: Rollback. Rolling back action:
Rollback: MsiInstallDrivers
Rollback: MsiRollbackInstall
DIFXAPP: RollbackInstall
 


Cause



This error can occur if the root certificates on the target computer are out of date.

From version 9.0 SP2 Enterprise Vault adopted a new digital certificate for signing files. This certificate's root certificate is:

VeriSign Class 3 Public Primary Certification Authority - G5

Most systems that have an internet connection get the new root certificate from an automatic update, but if the update fails to occur you will get the error described. For example, if a file server has no connection to the internet it cannot receive the automatic update.

You can confirm that you have this issue by checking the properties of the FSA Agent MSI package on the target computer, as follows.

Note: You must perform this check on the target computer (file server).

  1. In Windows Explorer, right-click the MSI file, and choose Properties.
     
  2. Click the Digital Signatures tab, select the Symantec signature, and then click Details:

 

 

  1. Click View Certificate and select the Certification Path tab.  With VeriSign Class 3 Public Primary Certification Authority -G5 selected in the certification path, look at the certificate status. If you have this issue, the status indicates that the issuer of the certificate could not be found:

 

More information is about this issue is available in this Symantec Connect blog:

http://www.symantec.com/connect/blogs/enterprise-vault-fsa-agent-903-and-later-installation-may-fail-signature-verification-error


Workaround

To resolve this issue you must download the updated root certificate from VeriSign, and then install it in the Trusted Root Certification Authorities certificate store on the file server. Follow these steps:

  1. Go to the following VeriSign web page:  http://www.verisign.com/support/roots.html.
  2. Scroll down to VeriSign Class 3 Primary CA -G5.
  3. Right-click Download Root Now, and select Save As.  Save the file with type .pem, as PCA-3G5.pem.
  4. Move the certificate file to the target computer (file server) if necessary.
  5. On the target computer, run the Microsoft Management Console, mmc.exe.
  6. From the File menu, select Add/Remove Snap-In.
  7. Add the Certificates snap in, using the following options:
  • Select "Computer account" as the account to be managed.
  • Select "Local computer" as the computer to be managed.
  1. In the left pane of the MMC, expand Certificates > Trusted Root Certification Authorities > Certificates.
  2. Right click Certificates and select All Tasks > Import.
  3. In the Certificate Import wizard, specify the path to the PCA-3G5.pem file, and complete the wizard to install the certificate.

To confirm success, check the MSI file's properties again on the target computer. The certificate status of the Verisign Class 3 Public Primary Certification Authority -G5 should now show as "This certificate is OK".

For more information about obtaining certificates, see the following Microsoft article: http://support.microsoft.com/kb/931125.


Solution



This issue has been addressed as part of the following release:

Enterprise Vault 10.0.1 - Release Details
http://www.symantec.com/docs/TECH147787
 


Supplemental Materials

SourceETrack
Value2569176
Description

AUTO:Unable to install PUSH agent on SMTP target as the root certificates are out of date.




Article URL http://www.symantec.com/docs/TECH179712


Terms of use for this information are found in Legal Notices