vCenter Installer – Digital Signature Error


Win2012_logo_smallIf you work in a DoD computing environment and you’re attempting to install VMware vCenter Server 6.0 on a server that is STIG compliant, you’ll probably receive the following error:

The digital signature on file VMware-vCenter-Server.msi can not be verified.  The file might be damaged or modified.  Error codes:  -2146762748, 2148204814

Under the Microsoft Dot Net Framework STIG, the Software Publishing state table must be configured to only trust items in the users trust database.


CAUSE


This error occurs when the State value of the below mentioned registry key is set to 10000 (Restricted) rather than the default value 23c00 (unrestricted).  This value corresponds to the Internet Explorer security setting “Check for publisher’s certificate Revocation” and “Check for signatures on downloaded programs.”

IE_Security


RESOLUTION


To resolve this problem, change the registry key to a valid setting.

"Check for publisher’s certificate Revocation"
'State' = 0x00023c00 = Checked (Default)
'State' = 0x00023e00 = Unchecked

The registry change does not require a reboot.


WARNING:  If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system.  Use Registry Editor at your own risk!


Method 1:  Editing the Registry
  1. Start Registry Editor (Regedit.exe)
  2. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
  3. On the left side pane look for State key and double click to open it
  4. Change the Value data to 23c00 or 23e00 (Hexadecimal)
  5. Quit Registry Editor.

SoftwarePublishingState

Method 2: Create a reg file
  1. Start Notepad.
  2. In Notepad, paste the following information.
    Windows Registry Editor Version 5.00
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
    "State"=dword:00023c00
  3. Save the file as a .reg file.
  4. Double-click the .reg file that you saved in step 3.

 


stopWARNING!


Certificate revocation checking protects your servers and clients against the use of invalid server authentication certificates either because they have expired or because they were revoked (e.g., when a server certificate was compromised).  Therefore, we do not recommend disabling the certificate revocation check in production environments.


Facebook Comments