How to determine if a system has an updated root certificate

Technical Articles ID: KB92948
Last Modified: 2023-03-08 14:38:07 Etc/GMT

Environment

Trellix Agent (TA) 5.x
All products using SysCore

Summary

Our product line uses TLS for secure communication. Two certificates validate the TLS chains. These certificates include a primary that expires in 2038 and a secondary that expired at 10:48 GMT, May 30, 2020. If either certificate, or both, are present in your environment after May 30, 2020, only the primary certificate is valid. Out of an abundance of caution, we're informing customers of this event.

Generally, certificates are auto-updated through operating systems and customers aren't impacted. But, customers can potentially be impacted in the following scenarios:

Automatic management of root certificates is disabled
The primary certificate hasn't been manually deployed

Failure to have a valid certificate causes product issues, which include reduced detection efficacy. For more information, see KB92937 - Secondary root certificate for TLS might need to be updated.

Problem

Verify if the certificate exists on a client system manually:

Run cmd and execute a query to the registry with the following commands:

reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\root\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

NOTE: On Server 2016, the command changes when implemented via a Group Policy (GPO). Another 'Policies' folder is added to the string, as seen below:

reg query HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\root\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

If you have this issue, you see the following as a result:

Example of command window output showing the error (example 1)

Example of command window output showing the error (example 2)

The certificate can be in the \Microsoft\SystemCertificates\root\Certificates\ or Microsoft\SystemCertificates\AuthRoot\Certificates\ location. You also can view the certificate from CertManager. As long as the cert is available in any of the above paths, it doesn't cause an issue to the cert store.

Verify if the certificate exists on a client system using ePO:

To verify the presence of the root certificate on a larger number of Windows systems, we created an EEDK package. You can deploy this package through ePO to look for the presence of the certificate in the system's trust store. It then reports the results back to ePO in the TA custom properties of the system. The default custom property is custom property 8. But, you can change the value of the property when you create the deployment task. After the package deploys to a group of systems, you can create a query or filter the system tree for systems based on the results.

To use this package, follow the instructions below:

Download the EEDK package CHCKCERT1100.zip from the "Attachments" section of this article.
Check in the CHCKCERT1100.zip package to your ePO Master Repository.
Create a Product Deployment Task and select the package Check for Root Certificate for deployment. To specify the custom property that this package reports to, you can add a single number 1–8 in the command-line parameters for the client task.
Assign the client task to any systems for which you would like to verify the presence of the root certificate.
After a system has executed the script, one of two results is reported back to custom property 8 or the custom property that you select:
- OLD_CERT - The new certificate is not present on the system.
- NEW_CERT - The new certificate is present on the system.

Workaround

Click to expand the section you want to view:

Create a Group Policy Object (GPO) and link it to your domain

Download the USERTrustRSACertificationAuthority.crt certificate.
For details, see KB92937 - Secondary root certificate for TLS might need to be updated.
Open Administrative Tools, and then click Group Policy Management.
In the console tree under the top level of the domain, right-click and create a policy named McAfee_Certificates.
Double-click, or right-click Edit. Select the Group Policy Objects in the domain that contains the McAfee Certificates GPO that you want to edit.
In the Group Policy Management Console (GPMC), go to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies.

Right-click the Trusted Root Certification Authorities store.

Click Import. Follow the steps in the Certificate Import Wizard, and import the downloaded certificate.
As a result, you see the new certificate imported to the GPO:

Verify that the policy is being applied on the client system

To verify that the policy is applied, make sure that the policies were updated. (You must do this step first.) Run the command gpupdate /force.

Example of command window output after you run gpupdate /force.

Example of command window output after you run gpupdate /force.

When it completes, verify if the policy is applying. Run the command gpresult /r.

This command shows the Resultant Set of Policies applied on the system:

Example of command window output after you run gpupdate gpresult /r.

Example of command window output after you run gpupdate gpresult /r.

Make sure that the set of policies includes the one that was created in previous steps: McAfee_Certificates

Verify that the certificate is now present on the system

To verify that the certificate is present, run the query in the registry with the following command:

reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E

The certificate is now present on the system.

Attachment 1

USERTrustRSACertificationAuthority.crt
1K • < 1 minute @ broadband

Attachment 2

CHCKCERT1100.zip
4K • < 1 minute @ broadband

Affected Products

Languages:

This article is available in the following languages:

Knowledge Center

How to determine if a system has an updated root certificate

Environment

Summary

Problem

Workaround

Attachment 1

Attachment 2

Affected Products

Languages:

Title

Title

Knowledge Center

How to determine if a system has an updated root certificate

Environment

Summary

Problem

Workaround

Attachment 1

Attachment 2

Affected Products

Languages:

Choose your region

Title

Title