Digital signature upgrade for loading library CAB files

Digital signature upgrade for loading library CAB files

Summary

FlexNet Manager Suite library content for the Application Recognition Library (ARL), SKU Library, and Product Use Rights Library (PURL) is delivered through signed CAB files. Digital signatures used on these files are generally trusted by default, but may not be trusted if you have a non-default or non-current set of trusted root certificates configured on your FlexNet Manager Suite batch server.

This article describes how to verify details of the digital signature on a FlexNet Manager Suite library content CAB file, ensure it is trusted, and install a trusted root certificate if necessary.

Verifying the digital signature on a CAB file

To verify whether the digital signature on a CAB file used for delivering FlexNet Manager Suite library content is trusted on the batch server:

  1. Download the relevant .cab file and save/copy it to the batch server. For example, the Application Recognition Library file can be downloaded from here.
  2. In Windows Explorer, right click on the file and select the Properties menu option.
  3. Click on the Digital Signatures tab, click on the entry in the Signature list, and click the Details button:
    Digital Signature
  4. A dialog will be displayed with an indication of whether the digital signature is trusted. For example:
    image.png


    If everything is OK, you will see the message "The digital signature is OK". If not, you will see an error message, such as "Windows does not have enough information to verify this certificate."

Troubleshooting an untrusted digital signature

If a problem is reported with the digital signature on a .cab file, clicking on the View Certificate button in the Digital Signature Details dialog may show additional details which will help to identify the cause of the problem.

One possible cause is that the root certificate used is not trusted by your FlexNet Manager Suite batch server. Check for problems with the root certificate on the Certification Path tab when viewing the .cab file's certificate:

image.png

Installing a DigiCert trusted root certificate

FlexNet Manager Suite library content .cab file digital signatures currently use the "DigiCert Trusted Root G4" root certificate.

If this root certificate is not already trusted by your batch server, the certificate in PEM file format can be downloaded from DigiCert's website at https://www.digicert.com/digicert-root-certificates.htm.

Once downloaded, the certificate should be installed (aka "imported") to the Trusted Root Certification Authorities > Certificates folder for the "Local Machine" (all users).

Consult your server administrators or information published by Microsoft about how to install a trusted root certificate in your environment and for your specific operating system. This will often involve using the Windows Certificate Manager tool.

Labels (2)
Was this article helpful? Yes No
0% helpful (0/1)
Comments

Hi,

Can please someone update the URLs? This seems to be Broadcom now: https://knowledge.broadcom.com/external/article/150350/obtain-the-verisign-class-3-public-prima.html

Best regards,

Markward

@mfranz Did you ever hear back on this?  Our ARL download is failing and on the properties of the cab file it says the certificate chain terminated in a root cert which is not trusted.  Which root cert do I need if it's not VeriSign?

Thanks!

Nope, no feedback on the broken link. Have you tried the cert from my link?

@mfranz yes, I tried the cert in your link too and it still fails.  Guess I'm opening a case.

I have the same issue, I have created a case.

The information that was in this article was a little out of date - a VeriSign root certificate is no longer used, and a DigiCert root certificate is currently used for signing content CAB files. The article has now been updated with details of the DigiCert root certificate.

Version history
Revision #:
2 of 2
Last update:
‎Nov 22, 2021 08:59 PM
Updated by:
 
Contributors