A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

Article:TECH182437  |  Created: 2012-02-27  |  Updated: 2012-02-28  |  Article URL http://www.symantec.com/docs/TECH182437
Article Type
Technical Solution


Issue



After performing a Patch Assessment Meta-Document Update in RMS/bv-Control for Windows, the newly downloaded hfnetchk6b.cab may display the following error:  A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider

Patch Assessment queries may fail with the following problem:  Distribution Job failed to distribute jobs to SQE. Error Code: -805360850. Affected Scope:<QE Machine Name> - Query Engine: The multi job failed after exceeding maximum retries.

During a patch assessment query, hfnetchk6b.cab will be copied from the BVIS to the query engines (..\Program Files\Symantec\BVNTQE\Data\ folder), these target query engine machines need to have the new root certificate 'VeriSign Class 3 Public Primary Certification Authority - G5' is present.  If the digital signature is not trusted, the patch assessment queries will fail.  Query engines without internet access (some DMZ's for example) will typically be impacted and may experience patch assessment failures. 


Error



hfnetchk6b.cab properties, Digital Signatures tab, Signature list Details on MQE, SQE, or BVIS: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 

Digital Signature Details of hfnetchk6b.cab


Cause



Shavlik Certificates expired in January 2012.  Newly downloaded hfnetchk6b.cab are digitally signed with the new certificate.


Solution



1. Launch certmgr.msc on BVIS, MQE, and SQE and verify that the root certificate 'VeriSign Class 3 Public Primary Certification Authority - G5' is present.

2. If missing, export certificate from a machine where the root certificate does exist and save to the hard drive. 

 VeriSign Class 3 Public Primary Certification Authority - G5

3. Copy exported certificate to any BVIS, MQE or SQE displaying certificate error

4. As Administrator, right-click on the saved file and select Install Certificate

    a. Select Next

    b. Select option Place all certificates in the following store

    c. Click Browse

    d. Select Trusted Root Certification Authorities, click Okay

    e. Click Next, Finish

 5.  Verify that the imported certificate is present as in step 2.

6.  As a test, manually copy hfnetchk6b.cab from BVIS ..\Symantec\RMS\Control\Windows\PatchAssessment to any MQE, SQE machine's desktop, launch file properties, Digital Signatures tab, highlight Shavlik Technologies in Signature list and click Details button - the Digital Signature Information should indicate This digital signature is OK

 

 




Article URL http://www.symantec.com/docs/TECH182437


Terms of use for this information are found in Legal Notices