Symptoms

An out of date Certificate Revocation List (CRL) on the Protect console server can cause many issues, among these issues are:

• Content data fails to download automatically or through a Help - Refresh Files.  The Scriptcatalog.zip is the most common data file affected by this.
• Patches fail to download with a digital signature error.
• Miscellaneous other issues as noted with certificate errors in the logs. 

Cause

The Certificate Revocation List (CRL) is out of date.

Resolution

1)  Update the Root Certificate on the Protect console server by performing a scan against it using a Security Tools enabled Scan Template.  The missing patch will be MSRC-001 or MSRC-002.  Deploy the patch with reboot.

2)  Manually update the Certificate Revocation List (CRL) by following these instructions:

Navigate to the Protect installation folder

Right click on ST.Protect.exe

Select Digital Signature

Select the Signature in the Signature list

Click Details

Click View Certificate

Select Details

Select CRL Distribution Points from the list

Use the URL= value to download the first CRL. (http://csc3-2010-crl.verisign.com/CSC3-2010.crl)

Click Certification Path

Select the certificate above Shavlik Technologies (VeriSign Class 3 Code Signing 2010 CA)

Click View Certificate

Select Details

Select CRL Distribution Points from the list

Use the URL= value to download the first CRL. (http://crl.verisign.com/pca3-g5.crl)

From the information collected above, you would download and install the following CRL files:

http://csc3-2010-crl.verisign.com/CSC3-2010.crl

http://crl.verisign.com/pca3-g5.crl

Copy these files to the console machine

Right Click on the file --> Install CRL

Click Next

Select Automatically select the certificate store based on the type of certificate

Click Next

Click Finish

You should see The import was Successful

Affected Products

Shavlik Protect 9.0.1182.0

Shavlik Protect 9.1.4334.0