Cylance: Protect - Root Certificates

Overview

The CylancePROTECT Agent is unable to establish a secure connection to the console. This prevents device registration, or causes the Agent to appear as offline in the console. This is caused by remote certificate chain errors.

An Agent log with debug logging enabled displays the following error:

CylanceSvc(4476)[6] Debug: [SslCertValidator] RemoteCertificateValidate: 'api.cylance.com' E='RemoteCertificateChainErrors'

The CylancePROTECT Agent UI may also continuously display Optimizing components if the the Agent is unable to register to the CylancePROTECT console, as shown below:

---

Cause

These errors typically indicate that one or more root certificate authority (CA) instances are missing from the computer's Trusted Root Certification Authorities folder. Without the necessary root CA, the computer is unable to validate the file's certification path, or establish a secure connection to the console.

On Windows platforms, the missing root CA can be caused by enabling the following Group Policy setting:

Computer Configuration / Policies / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn off Automatic Root Certificate Update

Enabling this Group Policy setting sets the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
Name: DisableRootAutoUpdate
Type: REG_WORD
Value: 1

NOTE: You may also see this behavior if you are using SSL inspection. SSL inspection must be bypassed for all CylancePROTECT traffic using: *.cylance.com.

---

Resolution

Cylance recommends that devices have the required trusted root certificates installed. The following certificates include those recommended by Microsoft and Apple:

• Microsoft - Required trusted root certificates
• Apple - Lists of available trusted root certificates in macOS

 

VeriSign Class 3 Public Primary Certification Authority - G5:

Serial Number: 18dad19e267de8bb4a2158cdcc6b3b4a

Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US

 NotBefore: 11/7/2006 4:00 PM

 NotAfter: 7/16/2036 3:59 PM

Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU=(c) 2006 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network, O=VeriSign, Inc., C=US

Cert Hash(sha1): 4eb6d578499b1ccf5f581ead56be3d9b6744a5e5

 

GeoTrust Global CA:

Serial Number: 023456

Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

 NotBefore: 5/20/2002 8:00 PM

 NotAfter: 5/20/2022 8:00 PM

Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

Cert Hash(sha1): de28f4a4ffe5b92fa3c503d1a349a7f9962a8212

 

thawte Primary Root CA:

Serial Number: 344ed55720d5edec49f42fce37db2b6d

Issuer: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US

 NotBefore: 11/16/2006 4:00 PM

 NotAfter: 7/16/2036 3:59 PM

Subject: CN=thawte Primary Root CA, OU=(c) 2006 thawte, Inc. - For authorized use only, OU=Certification Services Division, O=thawte, Inc., C=US

Cert Hash(sha1): 91c6d6ee3e8ac86384e548c299295c756c817b81

 

DigiCert Global Root CA:

Serial Number: 083be056904246b1a1756ac95991c74a

Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

 NotBefore: 11/9/2006 4:00 PM

 NotAfter: 11/9/2031 4:00 PM

Subject: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Cert Hash(sha1): a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436

 

Starfield Class 2 Certification Authority:

Serial Number: 00

Issuer: CN=Starfield Class 2 Certification Authority, OU = Starfield Class 2 Certification Authority, O = Starfield Technologies, Inc., C = US

 NotBefore: 6/‎29/‎2004 9:39:16 AM

 NotAfter: 6/‎29/‎2034 9:39:16 AM

Subject: OU = Starfield Class 2 Certification Authority, O = Starfield Technologies, Inc., C = US

Cert Hash(sha1): ad7e1c28b064ef8f6003402014c3d0e3370eb58a

 

NOTE: You may also see this behavior if you are using SSL inspection. SSL inspection must be bypassed for all CylancePROTECT traffic using: *.cylance.com.

---

External Resources for Required Root Certificates

Please refer to the following external resources:

• Verisign
• GeoTrust
• Thawte Root Certificates
• DigiCert Global Root CA
• Starfield

---

Verification:

To verify that you have the required trusted root certificates installed, run the following commands:

Windows:

• certutil -store AuthRoot "GeoTrust Global CA"
• certutil -store AuthRoot "thawte Primary Root CA"
• certutil -store AuthRoot "VeriSign Class 3 Public Primary Certification Authority - G5"
• certutil -store AuthRoot "DigiCert Global Root CA"
• certutil -store AuthRoot "Starfield Class 2 Certification Authority"

macOS:

• security find-certificate -c "thawte Primary Root CA" -a -Z "$SYS_KEYCHAIN"
• security find-certificate -c "GeoTrust Global CA" -a -Z "$SYS_KEYCHAIN"
• security find-certificate -c "VeriSign Class 3 Public Primary Certification Authority - G5" -a -Z "$SYS_KEYCHAIN"
• security find-certificate -c "DigiCert Global Root CA" -a -Z "$SYS_KEYCHAIN"
• security find-certificate -c "Starfield Class 2 Certification Authority" -a -Z "$SYS_KEYCHAIN"