This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange 7.X
- HTTPS Certificates for Internet Access
- Blended Threats licensing
- Maintenance Check
- McAfee for Marshal
- Sophos for Marshal
- Bitdefender for Marshal
Symptoms:
- Installations cannot download updates for Automatic Updates (SpamCensor), or cannot validate Blended Threats or Maintenance
- Logs show error Unable to get Local Issuer Certificate
- Virus scanner updaters cannot perform updates or licensing checks
- Error messages indicate SSL certificate validation errors
- New installations may display a warning on installation
- Warning text similar to: The MailMarshal Update service and the Blended Threats Module require SSL certificates currently not installed on this system
Cause:
The most common cause of these symptoms is that required CA root certificates are not installed, so the SSL certificates used by Trustwave websites cannot be validated.
Trustwave uses certificates issued by several authorities, including Microsoft, DigiCert, and Let's Encrypt. All of the root certificates for these authorities are included by default in the Windows certificate store.
As of late 2024, Let's Encrypt certificates may be in use.
- Currently supported Windows Servers that have the default set of root certificates already have the required certificates (ISRG Root X1). Windows 2012 servers may not have the required certificate.
As of mid 2023, DigiCert is issuing certificates from a new root certificate.
- This change is required because some browsers will stop trusting older DigiCert roots in 2025. For more details see information from DigiCert.
- For new certificates to be trusted, you must have the DigiCert Global Root G2 installed as a trusted root certificate in the Windows certificate store.
- Windows Servers that have automatically installed required updates should already have installed the required certificate.
- All certificates currently in use are issued from the new root certificate.
Also, you must allow access to Certificate Revocation List servers (such as http://crl3.digicert.com/ and http://c.lencr.org) to allow SSL connections to be validated.
Resolution:
To resolve this issue in most cases, you can take one of the following actions:
- You may be able to install the certificates automatically by browsing to the affected site (such as https://mcafee.marshal.com) using Internet Explorer or Edge from an administrator account. Once you have successfully browsed to the site, try the updater functionality again.
- You can manually retrieve the DigiCert Global Root G2 certificate from: https://www.digicert.com/kb/digicert-root-certificates.htm
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
- Previous generation certificates (validity starting before March 2023) are issued from the DigiCert Global Root CA certificate.
- You can manually retrieve the ISRG Root X1 certificate from https://letsencrypt.org/certificates/.
- Install this certificate to the Trusted Root Certificates store on Array Manager and Processing Node servers. See manual installation instructions at the end of this article.
Once the root certificate is installed, all functions requiring web access should work.
Other possible causes:
Cause 2: Access through WebMarshal
If Web access for SEG/MailMarshal or a virus scanner updater is through a WebMarshal installation that is configured for HTTPS content inspection, it is possible that the root certificates are not installed for the account(s) used by the Engine service, Array Manager service, and/or virus updater services.
Note: This cause only applies when Web access is through a WebMarshal installation that has HTTPS content inspection enabled for the specific update sites. Inspection is disabled by default.
- WebMarshal HTTPS Content Inspection uses a special locally generated root certificate. This certificate is installed into the user's certificate store by default. It is not available for service accounts by default.
- WebMarshal makes an exception for the SpamCensor update site, but current versions do not make an exception for the Blended threats site.
Resolution - WebMarshal certificate:
To resolve this issue, on each SEG/MailMarshal server, manually install the WebMarshal root certificate using the Windows Certificate Management console:
- Download the certificate from the WebMarshal.Home page of the WebMarshal installation.
- Run Microsoft Management Console (MMC.exe)
- Choose to add a snapin and select the Certificates snap in.
- Choose to manage certificates for the Computer account.
- Open Trusted Root Certification Authorities > Certificates.
- Import the certificate.
Alternatively, you might choose to bypass the proxy completely, or disable HTTPS inspection, for the update URLs required by Trustwave products
Cause 3: Access through a third party proxy
If Web access for MailMarshal/SEG or a virus scanner updater is through a third party proxy configured for HTTPS content inspection, you may need to complete further configuration.
Note: This cause only applies when Web access is through a third party proxy server that has HTTPS content inspection enabled.
- The proxy server might not have the required CA certificates installed.
- The certificate used for local re-encryption might not be installed on the MailMarshal servers.
Resolution - third party proxy:
To resolve this issue, consult the documentation for the third party proxy and ensure the following:
Additional technical details:
- Some Windows releases install a very limited set of SSL CA certificates by default. Additional certificates are downloaded on demand.
- Windows Group Policy can be set to disable the on-demand downloads.
Manual download of certificates:
You can also manually download and install the required CA Certificates using the Windows Certificate Management console.
Install the certificates on Array Manager and Processing Node servers.
- Download the root certificate
- Run Microsoft Management Console (MMC.exe)
- Choose to add a snapin and select the Certificates snap in.
- Choose to manage certificates for the Computer account.
- Open Trusted Root Certification Authorities > Certificates.
- Import the root certificate.
Notes:
Verify your system clock is accurate. Certificates might be rejected if they are "out of date" according to the local system time.
If none of the above solutions resolve your issue, contact Technical Support for help in diagnosing and resolving the problem.