000037438 - Certificate missing from the trusted root certificates during installation of RSA Authentication 7.4 Agent for Windows

Document created by RSA Customer Support Employee on May 8, 2019Last modified by RSA Customer Support Employee on Oct 24, 2019
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000037438
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Agent for Windows
RSA Version/Condition:  7.4.x
Issue
While trying to install the RSA Authentication Agent 7.4 for Windows, the following error message displays:
 


Installation stopped. RSA Authentication agent needs a certificate missing from the trusted Root Certificates. Contact your administrator.
 


User-added image
 

No prompt is presented to allow for the selection or import of the certificate file.
 
CauseOn machines where there is no internet access, certain certificates that are automatically provisioned on Windows operating systems may not be present.

A Windows administrator must use the appropriate Microsoft root update mechanism to install the certificate in the Trusted Root CA store of the machine account.

When checking the certificates associated with the installation .msi file by going through the following steps:
  1. Right click on the .msi of the agent  and select Properties Digital Signatures > Details > View Certificate.
  2. Click on Certification Path tab.  In the example shown here, the VeriSign Class 3 Public Primary Certification Authority - G5 is missing:
 

Missing Root Certificate



The following error is seen as well:


User-added image
ResolutionRSA does not give explicit instructions on Windows processes or tasks and we assume a certain proficiency with Windows, and the RSA Authentication Agent for Windows runs on six different Windows operating systems.

The RSA Authentication Agent for Windows requires the trusted root certificate VeriSign Class 3 Public Primary Certification Authority - G5, Symantec Class 3 SHA256 Code signing CA - G2 and RSA Security LLC  in the Trusted Root CA store of the machine account.  Also, the trust must be set for the computer, not just an user account.
The chain of certificates.
 
Workaround
  1. On the Windows OS, double-click on the signed certificate file. This will bring up the properties of the certificate.
  2. Click on the certification path. This will list the certificate chain that signed your certificate.  Double-click on the top-most CA certificate (VeriSign Class 3 Public Primary Certification Authority - G5), which is the missing one in our case. This should open the properties of the root CA certificate.
  3. Click on the Details tab on the properties of the root CA certificate.
  4. Click the Copy to File button. This will bring up the Certificate Export Wizard.
  5. Click Next. You will be prompted to select the export file format.
  6. Choose base-64 encoded X.509 (.cer) and click Next.
  7. On the next screen, you will be prompted to select to location to save the exported root CA certificate.
  8. Send the missing certificate to the affected environment.
  9. Import the missing certificate to the windows server using the following steps:

    1.  

      Click Start > Run > MMC.



       

      mmc 


       
    2. Go into the Console tab and select File > Add/Remove Snap-in.

mmc


  1. Click on Add > Click on Certificates and click on Add.

mmc


  1. Choose Computer Account > Next.
    mmc export
  2. Choose Local Computer > Finish.
    mmc export
  3. Close the Add Standalone Snap-in window.
  4. Click on OK at the Add/Remove Snap-in window.
  5. You will be brought back into the management console where you will see your snap in where you can expand and right click the various folders or certificate so see options that are available to you.
  6. You have successfully created an MMC snap in on your windows system to troubleshoot certificates.
  7. Expand Trust Root Certification Authorities.
  8. Right Click Certificates.
  9. Go to All Tasks > Import.
  10. In the Certificate Import Wizard click Next.
    MMC certificate import
  11. Click Browse.  Specify and open to the location and path of the missing certificate retrieved from your certificate authority.
  12. Click Next.
    MMC certificate import
  13. Click Next.
  14. Click Finish.
  15. You should get a message stating that the import is successful and should now see the Root Certificate within your certificate store.  is checked.
  16. Right click on the newly imported certificate and make sure that in the certificate properties screen Enable all purposes for this certificate is checked.

Finally, after all the above steps have been taken, check again that the certificates associated with the .msi file of the agent, the missing one will appear and the certificate will show as follows:
The chain of certificates.


Now installation/update will run successfully.

Attachments

    Outcomes