Browse your product documentation including release notes and installers
Attached below is a Digicert for the Windows App Control Agent.
Is this something that should be applied to our servers?
What's this for? Any context?
Windows XP and Server 2003 lack the necessary certificates (both root and intermediate) to validate the timestamps in the signature we use. In order to upgrade these operating systems to 8.7.4 of the App Control agent customers will need to choose to do one of the following:
Option 1: Import the Missing Certificates Into the Computer Certificate Store
You can download the necessary certificates from https://community.carbonblack.com/t5/Documentation-Downloads/App-Control-Windows-Agent-Digicert-Time....
Install the certificates on your machines either directly using MMC with the Certificates snap-in or use GPO. The root certificate should be imported to the Trusted Root Certification Authorities store. The intermediate certificate should go to the Intermediate Certification Authorities store. These should be imported at the machine level as opposed to the user level.
Option 2: Explicitly Trust the Timestamping Publisher
Another option is to trust the timestamping certificate. This can be a bit challenging because it requires querying the database for the correct id. Full instructions can be found on this document: https://community.carbonblack.com/t5/App-Control-Discussions/Ineligible-for-Approval-CERT-TRUST-IS-P...
Option 3: Use the ignore_partial_chain_on_countersignatures config prop
Agents can be configured to ignore the missing countersignatures. This allows approval by publisher for files that have valid code signing chains, while ignoring errors on the counter signing chain.
Details on how to configure this can be found here:
Please note that if the root certificate is not trusted (using Option 1 or 2), this method will still result in the following error: CERT_TRUST_IS_UNTRUSTED_ROOT.