Issue
All FireDaemon software products require Sectigo's Public Code Signing Certificates to be installed on your computer to run. All FireDaemon software products verify their digital signature and trust chain during installation and startup. Normally, these certificates are provided by the operating system automatically or via Windows Update.
However, in some environments especially those that are air-gapped from the Internet or where Microsoft Windows operating system patching intentionally excludes updating Trusted Root Certificates, the required certificates may be missing. This is typically due to Group Policy settings or the operating system not including the certificates by default because they are older than the certificates themselves. Specifically, Server 2016 and Server 2019 predate Sectigo's most recent code-signing certificates.
As a result, you might find your FireDaemon software product does not install, run, or work as expected due to the missing digital certificates. The symptoms you might experience include:
- Windows SmartScreen cannot validate FireDaemon installation executables
- FireDaemon installation executables display a "Failed to verify the certificate chain" warning message
- FireDaemon installation and software product executables show "Unknown Publisher" when elevating instead of "FireDaemon Technologies Limited"
- The FireDaemon software product can take many minutes to load and start
- FireDaemon GUI-based software products do not run and open. They just quit and appear to do nothing
- FireDaemon command line tools do not run. They appear to do nothing and return with exit code 1
Trusted Root and Intermediate Certificate Requirements
All FireDaemon software installers and executables are digitally signed using 4096-bit SHA-2 hardware-based Sectigo Authenticode code signing certificates. FireDaemon software products mandate that the Sectigo Public Code Signing trust chain be installed on your computer for the software to operate properly. The following certificates must be installed on your computer:
- Sectigo (AAA)
- Sectigo Public Code Signing Root R46
- Sectigo Public Code Signing CA EV R36
Certificate Verification via PowerShell
You can verify whether the necessary certificates are installed using PowerShell. To do this open a PowerShell prompt and type the following command:
Get-ChildItem -Path Cert:\LocalMachine\Root,Cert:\LocalMachine\CA | Where-Object { $_.Subject -like "CN=AAA*" -or $_.Subject -like "CN=Sectigo*" }You should see the following output:
PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root Thumbprint Subject ---------- ------- D1EB23A46D17D68FD92564C2F1F1601764D8E349 CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, S=Greater Manchester, C=GB PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\CA Thumbprint Subject ---------- ------- 329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 CN=Sectigo Public Code Signing Root R46, O=Sectigo Limited, C=GB 0185FF9961FF0AA2E431817948C28E83D3F3EC70 CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
You can then verify the Authenticode signature as applied to the FireDaemon binaries. To do this, type the following command at the PowerShell prompt, adjusting paths accordingly:
Get-AuthenticodeSignature 'C:\Program Files\FireDaemon Pro\FireDaemon.exe'
You should see the following output if the Authenticode certificates are valid:
Directory: C:\Program Files\FireDaemon Pro SignerCertificate Status Path ----------------- ------ ---- C7FE6BFD5466557472B379DE462A5BF44735FDC8 Valid FireDaemon.exe
Certificate Verification via Certificate Manager
Alternatively, you can verify whether the necessary Sectigo certificates are installed on your computer via the Certificate Manager. To do this:
- Run the Certificate Manager MMC Snapin via Start -> Run -> certmgr.msc
- Navigate to Trusted Root Certification Authorities -> Certificates
- Verify whether the "AAA Certificate Services" is present
- Then navigate to Intermediate Certification Authorities -> Certificates
- Verify whether the "Sectigo Public Code Signing Root R46" certificate is present
- Verify whether the "Sectigo Public Code Signing CA EV R36" certificate exists.
If the certificates are present, and the FireDaemon software product does not run, then this may be due to other issues, including application whitelisting or being explicitly blocked by endpoint protection software (e.g. antivirus, antimalware, EPP, EDR, XDR or equivalent). Please contact us to assist in resolving the issue.
Resolution Options
If the certificates are missing, you will need to install them. To do this, try one or more of the following methods:
- Confirm you have updated Windows to support SHA-2 code signing (Windows 7, Server 2008, 2008 R2 only)
- Temporarily allow your computer to connect to the Internet and run your FireDaemon software product. The certificates will be automatically downloaded and installed. Verify they have been installed via the methods above
- Fully patch Microsoft Windows either directly from the Internet or via WSUS or an equivalent patch management system to install the latest root and intermediate certificates
- Confirm in the Group Policy Editor (secpol.msc) that Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> Turn off Automatic Root Certificates Update is set to Not Configured or Disabled. For more information, see this Server Fault discussion. Also, see the screenshots below
- Download and manually install the following Sectigo certificates:
EV Code Sign Certificates:
Sectigo Public Code Signing CA EV R36
Sectigo Public Code Signing Root R46 USERTrust Root
Root Certificate:
AAA Certificate Services
Sectigo Public Server Authentication Root R46- Right-click on each downloaded certificate file and choose Install
- You will be greeted with the Certificate Import Wizard Dialog
- Select the "Local Machine" store location
- Choose "Automatically select the certificate store"
- Verify that the certificates have been installed correctly per the "Verification" section above
- Look at other ways to ensure the necessary certificates are installed (e.g. download/import via certutil.exe -generateSSTFromWU roots.sst or use Administrative Templates).
Group Policy Editor Screenshots
Below are screenshots from the Group Policy Editor where you can enable or disable Root Certificate Updates. For certificates to be installed automatically, ensure Turn off automatic Root Certificates Update to Not configured or Disabled.
