Client Management Suite

 View Only

"Certificate Chain is Invalid" Error when using the SMP license Removal tool 

Sep 02, 2014 06:49 AM

Yesterday I was looking at my SMP licensing using SIM (the Symantec Installation Manager) and I was troubled that certain licenses might not be applying correctly.

So, I decided to take a look at the installed licenses through an alternative route, the RemoveLicense.exe utility which is located in C:\Program Files\Altiris\Notification Server\Bin\Tools

When I loaded it though, I got a dialog displaying the following error,

Can not get the license
System.Exception: Certificate Chain is invalid.
  at RemoveLegacyLicense.LegacyLicenseUtil.Verify(X509Certificate2certificate)
  at RemoveLegacyLicense.LegacyLicenseUtil.GetLegacyLicenses()

 

This is a known issue, and Altiris Support directed me to this SMP 7.0 and 7.1 tech note TECH198685,

This cites the following,

Microsoft released a critical update (KB 2661254) on August 14, 2012, that ends support for certificates using the RSA algorithm that has key lengths less than 1024 bits. Shorter keys have been deemed more vulnerable to brute force attacks due to continued advances in computer processing capabilities. After applying Microsoft’s update, all certificates with key lengths less than 1024 bits will be treated as invalid. Any application that calls into the operating system to validate the digital certificates will receive an invalid certificate response whereas previously it would pass the validation.
 

So this tech note applies to SMP 7.5 too. The workaround stated here is to uninstall Microsoft KB 2661254 from your SMP Server. As this needed a reboot to take, and would likely get reinstalled at some point by a well-meaning administrator, I took a deeper look into the Microsoft KB. This revealed another (and perhaps better) option; use certutil.exe to set the lower limit of permitted RSA Public Key Lengths from 1024 bits to 512 bits.

This can be achieved using the following command,

certutil -setreg chain\minRSAPubKeyBitLength 512


When I ran this, RemoveLicense.exe ran smoothly without a requiring a system reboot (or even an MS service restart). Brilliant!

.

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

May 06, 2015 09:37 AM

Thanks a lot! That command worked! 

Related Entries and Links

No Related Resource entered.