This article lists the certificates used in OfficeScan XG/Apex One.
For the OfficeScan server and client machines which do not have these certificates, the following issues may occur:
- OfficeScan clients remain in "Updating" state and fail to get their updates from the server
- OfficeScan server cannot verify the agents' digital signatures during Inter-Process Communication (IPC)
These issues occur when OfficeScan is installed on a Windows machine without direct Internet connection for downloading certificate updates. These certificates are necessary on the endpoints, as well as the server itself.
To resolve this issue:
- Download the root and intermediate certificates from the following Comodo links:
- Install each certificate on the affected OfficeScan server.
- Open the certificate and click Install Certificate... to open AddTrustExternalCARoot.crt and UTN-USERFirst-Object.crt.
- Click Next when the Certificate Import Wizard appears.
- For Windows 2012, select Local Machine and click Next.
- Select "Place all certificates in the following store" and click Browse.
- Check Show physical stores > Trusted Root Certification Authorities > Local Computer and click OK.
- For 2016 and above, just choose "Trusted Root Certification Authorities" and click OK.
- For Domain users, refer to this external article.
Click Finish. "The import was successful message" should appear.
The certificate-related issues should be resolved.
If manually adding the certificates and performing a Windows Update does not work, check for a Group Policy Object (GPO) that turns off Automatic Root Certificates Update:
- Go to Computer Configuration > Policies > Administrative Templates > System > Internet Communication Management > Internet Communication Settings > "Turn off Automatic Root Certificates Update".
- Make sure that the value is set to "Not configured" (default value).