Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Verifying proper import of digital certificates in Control Manager (TMCM) 6.0

    • Updated:
    • 22 Jun 2016
    • Product/Version:
    • Control Manager 6.0
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2000 Server
    • Windows 2003 Enterprise
    • Windows 2003 Server R2
    • Windows 2003 Standard
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2012 Enterprise
    • Windows 2012 Server Essentials
    • Windows 2012 Standard R2
    • Windows 2012 Web Server Edition
Summary

Control Manager has a new enhancement in the update process that checks the integrity of downloaded files before loading them.

TMCM 6.0 SP3 Patch 1 Hot Fix Build 3241 and later versions contain the added file signature checking in the update process:

The required certificates for file integrity checking are automatically downloaded and installed via Microsoft Windows Update. However, if certificates are not properly installed or are missing, the file signature checking mechanism fails and the update process terminates.

In certain environments such as air-gapped or centrally-managed certificate stores, the TMCM server may not access Microsoft Windows Update to download digital certificates for validating the integrity of downloaded files. The TMCM server cannot load any new pattern and engine updates.

The customer has tried to import the digital certificates manually, but does not know where to place them in the Certificate Manager (certmgr.msc).

Details
Public

Customers can verify if the required certificates exist by doing the following:

  1. Go to Start > Run.
  2. Execute the following command:

    certmgr.msc

  3. Check if the following certificates exist under Certificates (Local Computer):
     
    "Root CA" in the list below means to go into Trusted Root Certificate Authorities > Certificates.

    Trusted Root Certification Authorities

     
    "Intermediate cert" in the list below means to go into Intermediate Certificate Authorities > Certificates.

    Intermediate Certification Authorities

    • SHA-1:
      • Root CA

        Subject: VeriSign Class 3 Public Primary Certification Authority - G5
        Serial number: 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
        Thumbprint: 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5
        Valid from 2006/11/08 to 2036/07/17

      • Intermediate cert

        Subject: VeriSign Class 3 Code Signing 2010 CA
        Serial number: 52 00 e5 aa 25 56 fc 1a 86 ed 96 c9 d4 4b 33 c7
        Thumbprint: 49 58 47 a9 31 87 cf b8 c7 1f 84 0c b7 b4 14 97 ad 95 c6 4f
        Valid from 2010/02/08 to 2020/02/08

    • SHA-1 Countersignatures:
      • Root CA

        Subject: UTN-USERFirst-Object
        Serial number: 44 be 0c 8b 50 00 24 b4 11 d3 36 2d e0 b3 5f 1b
        Thumbprint: e1 2d fb 4b 41 d7 d9 c3 2b 30 51 4b ac 1d 81 d8 38 5e 2d 46
        Valid from 1999/07/10 to 2019/07/10

    • SHA-2:
      • Root CA

        Subject: Class 3 Public Primary Certification Authority
        Serial number: 70 ba e4 1d 10 d9 29 34 b6 38 ca 7b 03 cc ba bf
        Thumbprint: 74 2c 31 92 e6 07 e4 24 eb 45 49 54 2b e1 bb c5 3e 61 74 e2
        Valid from 1996/01/29 to 2028/08/02

      • Intermediate cert

        Subject: VeriSign Class 3 Public Primary Certification Authority - G5
        Serial number: 25 0c e8 e0 30 61 2e 9f 2b 89 f7 05 4d 7c f8 fd
        Thumbprint: 32 f3 08 82 62 2b 87 cf 88 56 c6 3d b8 73 df 08 53 b4 dd 27
        Valid from 2006/11/08 to 2021/11/08

      • Intermediate cert

        Subject: Symantec Class 3 SHA256 Code Signing CA
        Serial number: 3d 78 d7 f9 76 49 60 b2 61 7d f4 f0 1e ca 86 2a
        Thumbprint: 00 77 90 f6 56 1d ad 89 b0 bc d8 55 85 76 24 95 e3 58 f8 a5
        Valid from 2013/12/10 to 2023/12/10

    • SHA-2 Countersignatures:
      • Root CA

        Subject: Thawte Timestamping CA
        Serial number: 00
        Thumbprint: be 36 a4 56 2f b2 ee 05 db b3 d3 23 23 ad f4 45 08 4e d6 56
        Valid from 1997/01/01 to 2021/01/01

      • Intermediate cert

        Subject: Symantec Time Stamping Services CA - G2
        Serial number: 7e 93 eb fb 7c c6 4e 59 ea 4b 9a 77 d4 06 fc 3b
        Thumbprint: 6c 07 45 3f fd da 08 b8 37 07 c0 9b 82 fb 3d 15 f3 53 36 b1
        Valid from 2012/12/21 to 2020/12/31

 

If the customer cannot import the certificates successfully for any reason, a less secure alternative is to disable signature checking:

  1. Open the “C:\Program Files\Trend Micro\Control Manager\aucfg.ini” file using Notepad.
  2. Manually add the following key and set it to "0":
    • check_file_signature=X

      Where:
      X=0 disables file signature checking.
      X=1 enables file signature checking.

  3. Save the changes to the aufg.ini file.
  4. Restart the Trend Micro Control Manager service.
Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Update
Solution Id:
1114388
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.