FireDaemon Software Root CA Code Signing Certificate Requirements


Summary

All FireDaemon software products need the most recent DigiCert CA Root Code Signing or Sectigo CA Root Code Signing Certificates to be installed on your computer in order to run. These certificates are normally provided by the operating system. You must patch your operating system (i.e. apply all Windows updates including root certificates) prior to attempting to install or run any FireDaemon software product.


Issue

All FireDaemon software products verify their digital signature and trust chain during installation and startup. This is to ensure that the software has not been tampered with. You might find your FireDaemon software product doesn't install, run, or work as expected due to missing digital certificates. The symptoms you experience might include:

  • FireDaemon installation executables and FireDaemon software product executables that ask for elevation show "Unknown Publisher" instead of "FireDaemon Technologies Limited" in the UAC popup
  • The FireDaemon software product doesn't run and open
  • The FireDaemon software product can take some time to open
  • Commands issued via the command line via FireDaemon Pro, for example, that requires a valid license to be present appear to do nothing and return with an exit code 1.


The primary cause for the software failing under these circumstances is that Windows has not been updated and more specifically the necessary chain of trust is not present to allow FireDaemon software products to run successfully. All FireDaemon software installers and executables are digitally signed using DigiCert and Sectigo Authenticode code signing certificates. FireDaemon software products require the DigiCert and Sectigo Authenticode CA trust chain to be installed on your computer. Normally, this is not an issue, however, in some environments - especially those that are air-gapped from the Internet or in corporate environments where patching is judicious you might find you have to deploy the DigiCert and Sectigo trust chain manually.


Resolution

In order to resolve this try the following:

  • Temporarily connect to the Internet and run your FireDaemon software product
  • Fully patch Microsoft Windows either directly from the Internet or via WSUS or equivalent patch management system
  • Ensure you have updated Windows with SHA-2 code signing support
  • Ensure in Group Policy: Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> Turn off Automatic Root Certificates Update is set to Not Configured or Disabled. For more information see this Server Fault discussion.
  • Look at other ways to ensure the necessary trusted root certificates are installed (e.g. download / import via certutil.exe -generateSSTFromWU roots.sst or use Administrative Templates). For example, you can download Sectigo's intermediate code signing certificates for manual deployment from here.


Below are screenshots from the Group Policy Editor where you can enable or disable Root Certificate Updates:


Local Group Policy Editor Turn off Automatric Root Certificates Update


Turn off Automatic Root Certificates Update