Knowledge Base

Yes

Environment

App Control (Formerly CB Protection) Web Console: All Supported Versions

Partial Cert Chain issues are causing problems with file approvals, so the desire is to approve the certificate itself in order to avoid this issue

At this time the console UI does not natively support managing Countersignature publishers and certificates

In order to approve a certificate on the counter chain, the following steps can be helpful

On the system getting blocks, use the following "dascli" command to find the publisher name for the countersignature:

dascli find "C:\Users\XXX\AppData\Local\WebEx\webex.exe"

CounterSigner: CertId[99] Parent[100] Publisher[Symantec SHA256 TimeStamping Signer – G2]

In SQL Server Management Studio, run the following query (replace the publisher name with the one returned in the previous command):
- ```
use das; select publisher_id from publishers where name = 'Symantec SHA256 TimeStamping Signer – G2'
```
Suppose that returns '18'. Then take that publisher_id and go to the following URL:
- ```
https://localhost/publisher-details.php?publisher_id=18
```
Replace localhost above with the name of your server.
On the page that comes up, you'll be presented with some "publisher" info at the top of the page, and a list of related certificates to this counter chain at the bottom.
For each leaf certificate, check the box in front of the cert name, select Action > Approve Certificates.

For even more detailed steps, I provided a detailed write up on the issue and how to resolve in this post here:
Ineligible for Approval | CERT_TRUST_IS_PARTIAL_CHAIN