Typically, the required certificate will be installed and updated via Microsoft Windows Update. In certain environments (e.g. air-gapped or central managed certificate store), customers may verify if the following required certificates exist to make sure that the update process would not fail:

1. Go to Start > Run.
2. Execute the following command: "certmgr.msc".
3. Check if the following certificates exist in the local computer:
   • SHA1:
     • Root CA

       Subject: VeriSign Class 3 Public Primary Certification Authority - G5
       Serial number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
       Thumbprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
       Valid from 2006/11/08 to 2036/07/17

        

       If this certificate is not installed on the local computer, it will fail to recognize the SHA-2 certificate when the package contains both SHA-1 and SHA-2 even with Microsoft KB3033929 installed.
     • Intermediate cert

       Subject: VeriSign Class 3 Code Signing 2010 CA
       Serial number: 52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
       Thumbprint: 49 58 47 a9 31 87 cf b8 c7 1f 84 0c b7 b4 14 97 ad 95 c6 4f
       Valid from 2010/02/08 to 2020/02/08

   • SHA1-Countersignatures:
     • Root CA

       Subject: Thawte Timestamping CA
       Serial number: 00
       Thumbprint: be 36 a4 56 2f b2 ee 05 db b3 d3 23 23 ad f4 45 08 4e d6 56
       Valid from 1997/1/1 to 2021/1/1

     • Intermediate cert

       Subject: Symantec Time Stamping Services CA - G2
       Serial number: 7e 93 eb fb 7c c6 4e 59 ea 4b 9a 77 d4 06 fc 3b
       Thumbprint: 6c 07 45 3f fd da 08 b8 37 07 c0 9b 82 fb 3d 15 f3 53 36 b1
       Valid from 2012/12/21 to 2020/12/31

   • SHA2:
     • Root CA

       Subject: VeriSign Class 3 Public Primary Certification Authority - G5
       Serial number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
       Thumbprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
       Valid from 2006/11/08 to 2036/07/17

     • Intermediate cert

       Subject: Symantec Class 3 SHA256 Code Signing CA
       Serial number: 3d 78 d7 f9 76 49 60 b2 61 7d f4 f0 1e ca 86 2a
       Thumbprint: 00 77 90 f6 56 1d ad 89 b0 bc d8 55 85 76 24 95 e3 58 f8 a5
       Valid from 2013/12/10 to 2023/12/10

     • Intermediate cert

       Subject: Symantec Class 3 SHA256 Code Signing CA
       Serial number: 3d 78 d7 f9 76 49 60 b2 61 7d f4 f0 1e ca 86 2a
       Thumbprint: 00 77 90 f6 56 1d ad 89 b0 bc d8 55 85 76 24 95 e3 58 f8 a5
       Valid from 2013/12/10 to 2023/12/10

   • SHA2-Countersignatures:
     • Root CA

       Subject: VeriSign Universal Root Certification Authority
       Serial number: 40 1a c4 64 21 b3 13 21 03 0e bb e4 12 1a c5 1d
       Thumbprint: 36 79 ca 35 66 87 72 30 4d 30 a5 fb 87 3b 0f a7 7b b7 0d 54
       Valid from 1997/01/01 to 2021/01/01

     • Intermediate cert

       Subject: Symantec SHA256 TimeStamping CA
       Serial number: 7b 05 b1 d4 49 68 51 44 f7 c9 89 d2 9c 19 9d 12
       Thumbprint: 6f c9 ed b5 e0 0a b6 41 51 c1 cd fc ac 74 ad 2c 7b 7e 3b e4
       Valid from 2017/1/2 to 2028/04/02

     Windows certificates management for reference:

     

     

Root CA means insert into Root Store (Trusted Root Certificate Authorities).

Intermediate cert means insert into Intermediate Certificate Authorities.

Trend Micro recommends that customers keep this setting enabled. However, if the customer cannot import this certificate for some reason, disable the checking mechanism:

1. Open the aucfg.ini file in the following folders of the OSCE server:
   • "\PCCSRV\web\service"
   • “\PCCSRV\WSS”
   • “\PCCSRV\LWCS”
2. Add the following parameters before the line "[Debug]".
   For OfficeScan 11.0 SP 1, you need to install Hot Fix Build 3085 before adding this parameter.
   • check_file_signature=0
   • check_digital_signature=0

Download Certificates

• VeriSign Class 3 Public Primary Certification Authority - G5
• VeriSign Universal Root Certification Authority
• Thawte Timestamping CA