Summary

All recent versions of FireDaemon software products need the most recent Sectigo Public Code Signing Certificates to be installed on your computer in order to run.  Normally, this is not an issue as the certificates are provided and updated by the operating system. However, in some environments especially those that are air-gapped from the Internet or in corporate environments where patching is judicious you might find you have to relax the patching process or deploy the certificates manually.


Issue

All FireDaemon software products verify their digital signature and trust chain during installation and startup. This is to ensure that the software has not been tampered with. You might find your FireDaemon software product doesn't install, run, or work as expected due to missing digital certificates. The symptoms you might experience include:


  • The FireDaemon GUI-based software product doesn't run and open as expected
  • FireDaemon command line tools appear to do nothing and return with exit code 1
  • The FireDaemon software product can take many many minutes to start
  • FireDaemon installation executables and FireDaemon software product executables that ask for elevation show "Unknown Publisher" instead of "FireDaemon Technologies Limited" in the UAC popup.


The primary cause for the software failing under these circumstances is that Windows has not been updated and more specifically the necessary chain of trust is not present to allow FireDaemon software products to run successfully. All recent FireDaemon software installers and executables are digitally signed using Sectigo Authenticode code signing certificates. FireDaemon software products require the Sectigo Public Code Signing trust chain to be installed on your computer. The following certificates are required to allow FireDaemon software products to run:

  • Sectigo (AAA)
  • Sectigo Public Code Signing Root R46
  • Sectigo Public Code Signing CA EV R36


Verification

In order to resolve this issue verify that the necessary Sectigo certificates are present on your computer. To do this:

  1. Run the Certificates MMC Snapin (Start -> Run -> certmgr.msc)
  2. Navigate to Trusted Root Certificate Authorities -> Certificates and ensure AAA Certificate Services is present
  3. Navigate to Intermediate Certification Authorities -> Certificates and ensure the Sectigo Public Code Signing Root R46 and Sectigo Public Code Signing CA EV R36 certificates are present.


Resolution

If the certificates are missing follow the procedure below:

  1. Confirm you have updated Windows to support SHA-2 code signing (Windows 7, Server 2008, 2008 R2 only)
  2. Temporarily connect to the Internet and run your FireDaemon software product
  3. Fully patch Microsoft Windows either directly from the Internet or via WSUS or an equivalent patch management system to install the latest root and intermediate certificates
  4. In Group Policy: Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> Turn off Automatic Root Certificates Update is set to Not Configured or Disabled. For more information see this Server Fault discussion
  5. Download and manually install the Sectigo certificates. To do this, download the Sectigo Public Code Signing CA EV R36 certificate from here.Once downloaded:
    1. Right-click on the downloaded certificate file and choose Install
    2. You will be greeted with the Certificate Import Wizard Dialog
    3. Select the "Local Machine" store location
    4. Choose "Automatically select the certificate store"
    5. Verify that the certificates have been installed correctly per the "Verification" section above
  6. Look at other ways to ensure the necessary certificates are installed (e.g. download / import via certutil.exe -generateSSTFromWU roots.sst or use Administrative Templates).


Screenshots

Below are screenshots from the Group Policy Editor where you can enable or disable Root Certificate Updates:


Local Group Policy Editor Turn off Automatric Root Certificates Update


Turn off Automatic Root Certificates Update