cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Deploying root certificates via ePO

I know McAfee has provided an EEDK_PKG1001.zip to deploy the USERTrustRSACertificationAuthority.crt root certificate to endpoint systems, which works great.  My question is...  Will McAfee also provide a package to deploy the remaining certificates needed to validate the digital signatures before installing or upgrading McAfee ENS 10.7? The certificates I am referring to are listed in knowledge base article KB91697.  

If not, has anyone been able to successfully deploy them via "registry" GPO.  We have attempted to deploy them via GPO but the certs aren't replicating to the Third-Party store.  

Thank you in advance for any help/guidance you can provide.  

7 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Deploying root certificates via ePO

The KB you mentioned has a reg file that can be used for gpo's as well as a bat file that can be run on the systems.  You can download EEDK and create your own package also to push out the .bat file.

This is the getting started guide:

https://community.mcafee.com/t5/ePolicy-Orchestrator-ePO/ePO-Endpoint-Deployment-Kit-EEDK-Getting-st...

This is where you can download it from.

https://community.mcafee.com/t5/Community-Tool-Exchange/ePO-Endpoint-Deployment-Kit-9-6-1-Current-Do...

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Deploying root certificates via ePO

Hi, and thank you! Yes, we do have the .reg file and .bat files. For some reason, when deploying the certs via GPO, they are not populating to the Third-Party trusted root store. (They are going into Trusted Root). Is it true that the GPO must be a "registry" GPO in order to place them in the correct certificate store? Thank you for the info on EEDK, I will try to use this as a last resort.
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 8

Re: Deploying root certificates via ePO

That is quite possible, I haven't tried using gpo for that.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Deploying root certificates via ePO

Here is the wording from the KB article when posted on 5/31: Deploy the registry change for the Computer policy, not the User policy. Instead of using a Certificate group policy object, which puts the certificate in the wrong certificate store, use a Registry group policy to make the change directly to endpoint registries, which puts the certificate in the correct store. If I view that KB article today, it states: Deploy the registry change for the Computer policy, not the User policy. For example instructions on adding a certificate using group policy, see KB92948. I have an SR open with McAfee regarding clarification around what stores the certificates need to be in, but I have yet to receive a concrete answer. If we deploy via GPO, the first set of certs are installed in the Trusted Root store (McAfee says they should be in Third Party trusted root). If I run the .bat or .reg import they are installed in Third Party trusted root. I would prefer our environment be updated by GPO but I am unable to get clarification. Thanks for your help. 4-21292441511
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 8

Re: Deploying root certificates via ePO

I see some in both trusted root and 3rd party trusted root, so I am not sure if it is critical or not as to which one.  You can let your SR owner clarify that with dev.  Otherwise I can ask them on a call Wednesday with them.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted

Re: Deploying root certificates via ePO

That would be great if you could ask the question. Right now I am being told that if they exist in Trusted Root, it will be okay. However, that does not align with the KB article that specifically states they must exist in Third-Party root and Intermediate. I have asked that my SR be escalated for clarification. We are getting ready to roll out 10.7 and also perform upgrades to ENS 10.7 and I need to have these certs in their correct stores PRIOR to rolling out a large upgrade which is currently scheduled for 10/1. Any help is certainly much appreciated. Thanks!
Highlighted

Re: Deploying root certificates via ePO

I received confirmation from Technical Support that the certificates must exist in the Intermediate store (CA) and the Third-Party store (AuthRoot) according to KB article below:  

https://kc.mcafee.com/corporate/index?page=content&id=KB91697

 

The specific questions I asked were: 

1.  Can they exist in BOTH Trusted Root and Third-Party Root? 

Answer:  Technically, yes  (since Third-Party Root is a subset of the Trusted Root certification authorities, it should work fine) 

2.  Can they exist in Trusted Root ONLY (and not in Third-Party Root)?

Answer:  They did not say yes or no (I believe the answer is no).  Technical Support advises to follow best practice to ensure no issues are encountered.  They advise to follow the KB article and ensure the respective certificates are in the Third-Party Root store.  

 

 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community