Geek Answers Handbook

VeriSign Class 3 certificate does not trust Windows?

I am distributing a Windows desktop application that has all executables digitally signed with a Verisign Class 3 code signing certificate. For the vast majority of users, this works fine.

However, a small number of users report that the certificate is invalid. It is said that it comes with the message "Processed certificate chain, but completed in the root certificate, which the trust provider does not trust . " This corresponds to error code CERT_E_UNTRUSTEDROOT (0x800B0109) . This was also reported on a fully updated Windows 7 machine. So, apparently, my certificate is fine, but Windows sometimes doesn't trust VeriSign certificates.

Why doesn't Windows sometimes trust VeriSign? Is there anything I can add to my installer (also signed) that Windows will tell you to trust the certificate?

+6
source share
1 answer

Root certificate updates are often updated, which Microsoft downloads through Windows Update, but which are marked as "optional updates." Therefore, not all users can install them, and you may need to install them manually. This also applies to “fully updated” machines, because for an unattended installation, they often install only “important updates” that are not root certificate updates.

Depending on the type of desktop application, you may have to follow certain rules when signing up. For example, applications that interact with Windows Security Center require essentially the same signing method as the drivers. That is, the certificate chain is implemented along with the signature ( /ac on signtool ). You can get the MSCV-VSClass3.cer applicable to VeriSign certificates here .

The process is often called cross-signature, which seems to be incorrect. Although it is one step that your binary or directory is cross-signed, it is vital that Microsoft signs the driver (or, more often, the directory file these days), which is the actual cross-signature.

+8
source

More articles:


All Articles