Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: Approve Certificates on the Counter Signature Chain

App Control: Approve Certificates on the Counter Signature Chain


App Control (Formerly CB Protection) Web Console:  All Supported Versions


Partial Cert Chain issues are causing problems with file approvals, so the desire is to approve the certificate itself in order to avoid this issue


At this time the console UI does not natively support managing Countersignature publishers and certificates


In order to approve a certificate on the counter chain, the following steps can be helpful
  1. On the system getting blocks, use the following "dascli" command to find the publisher name for the countersignature:
    • dascli find "C:\Users\XXX\AppData\Local\WebEx\webex.exe"
      CounterSigner: CertId[99] Parent[100] Publisher[Symantec SHA256 TimeStamping Signer – G2]
  2. In SQL Server Management Studio, run the following query (replace the publisher name with the one returned in the previous command):
    • use das; select publisher_id from publishers where name = 'Symantec SHA256 TimeStamping Signer – G2'
  3. Suppose that returns '18'.  Then take that publisher_id and go to the following URL:
    • https://localhost/publisher-details.php?publisher_id=18
  4. Replace localhost above with the name of your server.  
  5. On the page that comes up, you'll be presented with some "publisher" info at the top of the page, and a list of related certificates to this counter chain at the bottom.
  6. For each leaf certificate, check the box in front of the cert name, select Action > Approve Certificates.


Additional Notes

For even more detailed steps, I provided a detailed write up on the issue and how to resolve in this post here:
Ineligible for Approval | CERT_TRUST_IS_PARTIAL_CHAIN

Labels (1)
Was this article helpful? Yes No
67% helpful (2/3)
Article Information
Creation Date: