Client Security or Server Security fails to download definition updates from Policy Manager Proxy and Policy Manager Server with "certificate expired" and "untrusted root ca" errors

Issue / Symptom

After upgrading to Policy Manager Server 15.30, Client Security or Server Security fails to download malware definition updates from Policy Manager Proxy (PMP) and Policy Manager Server (PMS) with "certificate expired" and "untrusted root ca" errors.

Host using PMP

2022-02-01 09:32:21.040 [1454.1a68] I: Checking for updates from https://xxxx.xxxxx.xxxxx.de:488/guts2

2022-02-01 09:32:21.040 [1454.1a68] I: Update check failed, error=221 (certificate expired)

Host using PMS directly

2022-01-31 16:32:22.806 [0f54.1300] I: Checking for updates from https://xxxxx.xxxxx.xxx.de:443/guts2

2022-01-31 16:32:22.884 [0f54.1300] I: Update check failed, error=216 (untrusted root ca)

Resolution

Make sure that the SCEP certificates have been updated. You can delete the SCEP certificates from fspms-ca.jks to try to fix the issue.

For Policy Manager installed on a Linux host: :

Stop the F-Secure Policy Manager service
Delete the fspms.jks file
Run the following command folder under data folder (/var/opt/f-secure/fspms/data/)

/opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
/opt/f-secure/fspms/jre/bin/keytool -delete -alias fspm-ra-signing -keystore fspms-ca.jks

Start F-Secure Policy Manager service
On the Policy Manager Proxy machine, run the fspmp-enroll-tls-certificate script from /opt/f-secure/fspms/bin/

For Policy Manager installed on a Windows host:

Stop the F-Secure Policy Manager Server service from services.msc > F-Secure Policy Manager Server
Delete the fspms.jks in <Installation folder>\F-Secure\Management Server 5\data) Note: Make a backup of this file
Launch Command Prompt as administrator
Navigate to C:\Program Files (x86)\F-Secure\Management Server 5\data folder in the Command Prompt
Run the following command:

"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-encryption -keystore fspms-ca.jks
"C:\Program Files (x86)\F-Secure\Management Server 5\jre\bin\keytool.exe" -delete -alias fspm-ra-signing -keystore fspms-ca.jks

Start the F-Secure Policy Manager Server service from services.msc
Upon launching the Policy Manager Console, you will be prompted to accept the new certificate. You can click Accept to continue
Run the fspmp-enrol- tls-certificate.bat script on the Policy Manager Proxy machine.

(...\F-Secure\Management Server 5\bin\fspmp-enroll-tls-certificate.bat)

Once the steps above are completed, the definition updates should work as expected.