800xA 6.1 SCC issue with Certificate/ Timestamp
Hello,
while trying to get to deploy functions in SCC (after clicking on configure system) I'm getting this error on one of the VMs that we have in the cloud. I've never seen this issue in a past. I have checked certificates, looks like all are valid and played with time, however with no success.
Is there anyone who can advise?
Thank you in advance,
Michael Bik
Asked 9 months ago
Answers
0
Ensure the below prerequisite on all the node,
Internet Security Settings for Digital Signature Validation Perform the following steps on all 800xA nodes: 1. Go to Control Panel. 2. On All Control Panel Items, select Internet Options. 3. In the Internet Properties, click Advanced tab. 4. Scroll to Security and under Security clear the Check for publisher’s certificate revocation check box. 5. Click Apply and OK.
Error Screenshot will definitely help here.
Internet Security Settings for Digital Signature Validation Perform the following steps on all 800xA nodes: 1. Go to Control Panel. 2. On All Control Panel Items, select Internet Options. 3. In the Internet Properties, click Advanced tab. 4. Scroll to Security and under Security clear the Check for publisher’s certificate revocation check box. 5. Click Apply and OK.
Error Screenshot will definitely help here.
Answered 9 months ago
0
Hello, I inserted the screenshot directly in the text, but obviously this doesn't work. I attached the screenshot now.
This checkbox was checked during the installation which went fine in the past. Unchecked now/ restarted the agent and whole system however it didn't solve the issue.
Thank you,
Michael.
This checkbox was checked during the installation which went fine in the past. Unchecked now/ restarted the agent and whole system however it didn't solve the issue.
Thank you,
Michael.
Answered 9 months ago
0
Check the cloud computer's Trusted Root Certificate store.
Since 6.0 all files on the System 800xA media are signed with a certificate from, I believe DigiCert or VeriSign, to be able to prove the media to be genuine and not tampered with. Since 6.1 the System Installer does not accept media lacking signatures. A warning is then lit up.
Here the certificate verification process seem to have halted, somehow. Verify that the computer clocks are correct and that the Trusted Root Certificate store is OK (compare with another computer where installation succeeded).
mmc.exe > Add snap-in > Certificates [Local Computer] > Trusted Root Certificates
One reason for the System Installer not being able to verify the media is if the Local Security Policy "Turn Off Automatic Root Certificate Updates" has been enabled, locally or via GPO.
Below is a closure comment from a similar support case we've had:
Case Closure Description:
The following certificates are missing:
· BaltimoreCyberTrustRoot
· DigiCertAssuredIDRootCA
· DigiCertSHA2AssuredIDCodeSigningCA
· VeriSign Universal Root Certification Authority
· VerizonGlobalRootCA
As the mechanism to load Root Certificates is a Microsoft Windows function to load from Crypt32.dll
and that Microsoft uses this file to update certificates via Windows Update (and also ABB QSU’s).
There is a description by Microsoft how to install the root certificates.
Case could be closed.
Since 6.0 all files on the System 800xA media are signed with a certificate from, I believe DigiCert or VeriSign, to be able to prove the media to be genuine and not tampered with. Since 6.1 the System Installer does not accept media lacking signatures. A warning is then lit up.
Here the certificate verification process seem to have halted, somehow. Verify that the computer clocks are correct and that the Trusted Root Certificate store is OK (compare with another computer where installation succeeded).
mmc.exe > Add snap-in > Certificates [Local Computer] > Trusted Root Certificates
One reason for the System Installer not being able to verify the media is if the Local Security Policy "Turn Off Automatic Root Certificate Updates" has been enabled, locally or via GPO.
Below is a closure comment from a similar support case we've had:
Case Closure Description:
The following certificates are missing:
· BaltimoreCyberTrustRoot
· DigiCertAssuredIDRootCA
· DigiCertSHA2AssuredIDCodeSigningCA
· VeriSign Universal Root Certification Authority
· VerizonGlobalRootCA
As the mechanism to load Root Certificates is a Microsoft Windows function to load from Crypt32.dll
and that Microsoft uses this file to update certificates via Windows Update (and also ABB QSU’s).
There is a description by Microsoft how to install the root certificates.
Case could be closed.
0
I forgot to mention, in previous versions before 6.1, it was possible to set a policy "Do not update root certificate store" to attempt to speed up certain actions since they could timeout if there were no Internet connection.
https://support.microsoft.com/en-us/h...
With 6.1 this must not be done, as it will block Window from unpacking some well known but install-on-first-use certificates which are required to authenticate the signatures on the ABB 800xA media.
Old hardening policies offered by ABB Consult IT had this setting enabled. If using hardening policies, make sure you are using the most recent and up-to-dat e version published on ABB Library.
https://support.microsoft.com/en-us/h...
With 6.1 this must not be done, as it will block Window from unpacking some well known but install-on-first-use certificates which are required to authenticate the signatures on the ABB 800xA media.
Old hardening policies offered by ABB Consult IT had this setting enabled. If using hardening policies, make sure you are using the most recent and up-to-dat e version published on ABB Library.
Add new comment