Install license CA certificate chain

Last update 2023-10-12

The PDXpert license key file is cryptographically signed to verify the license and to support security actions on PDX packages. These actions confirm a signed PDX package's data integrity, authenticate the sender, and allow AES-256 password encryption. License key file validation requires frequent access to the Certification Authority's certificates, which are hosted on the web.

PDXpert uses the Sectigo (Comodo/USERtrust) certification authority.

Access to public internet§

A computer with a public internet connection must allow access to the Certification Authority's security certificates (the "CA certificate chain"). It is strongly recommended that firewall policies and/or access control devices use URLs and not IP addresses. Allow the following URLs to your firewall policies and access control devices to ensure connection to Sectigo's CRL services:

  • *.sectigo.com

  • *.comodoca.com

  • *.usertrust.com

If your security policies use IP address geolocation/geofencing, note that Sectigo certificates are issued from the United Kingdom (GB).

No access to public internet§

A computer without an internet connection must have the Certification Authority's root and intermediate security certificates (the "CA certificate chain") installed.

  • Do not edit the license file; signature validation requires an exact match.

  • The PDXpert Server must have an internet connection, or the CA certificate chain must be installed on the server machine.

  • The PDXpert client that imports the license file must access the CA certificate chain: (1) use the server machine's localhost PDXpert client to import the software license key; or (2) install the certificate chain on the PDXpert client computer.

Without access to the CA certificate chain, the Software License Key dialog's OK button is disabled.

Microsoft automatically installs the Sectigo trusted root certificate. This procedure installs the USERTrust intermediate certificate that links the PDXpert license signing certificate to the Sectigo root certificate.

Before starting, you can confirm that the Sectigo trusted root certificate is installed, and the intermediate certificate is not installed, using the View the certificates section.

Install the intermediate certificate§

You need Windows administrator permissions to complete this procedure.

Install the intermediate certificate(s) that link the Sectigo root certificate to PDXpert's license file code signing certificate:

  1. Download the certificate file(s) to the server computer, or to another computer that can transfer the file to the server using a USB drive or local network share. Save the certificate file on the server computer's Desktop or other easy-to-find location. Your computer may already have one or more of these installed – see this link to check. You can install all missing certificates, but do not install a certificate that's already in the store.§

    For PDXpert licenses issued after March 6, 2023, download these certificates from Sectigo:

    For PDXpert licenses issued before March 6, 2023, also download this certificate from Sectigo:

  2. Select the certificate file, and open the context menu (right-click). Select the Install Certificate command.§

    File context menu Install Certificate command

    Accept the file by clicking the Open button.

    Open File security warning dialog
  3. Select the Store location Local Machine option. Click Next§

    Certificate Import Wizard select profile
  4. Browse to, and then select, the Intermediate Certification Authorities certificate store. Click Next§

    Certificate Import Wizard select store
  5. Review the import completion summary, and Finish§

    Certificate Import Wizard install summary

View the certificates§

To view the security certificates in the Certificate Store:

  1. Use Windows Search manage computer certificates to find and select the MMC Certificates app.§

    Windows Search - Manage computer certificates
  2. The required trusted root certificate is automatically installed with Windows, and should be available unless it was uninstalled or revoked. You can confirm it's currently installed in path Certificates - Local Computer ➔ Trusted Root Certification Authorities ➔ Certificates.§

    If you need to install the USERTrust RSA root certificate, export it from another computer's Certificate Store, or get it on the web from USERTrust/Sectigo or one of its authorized partners. Or confirm the status of the audited root certificate, then download 1199354.crt. Import the RSA root certificate into the Trusted Root Certification Authorities store, similar to the procedure above.

    Trusted Root Certification Authorities Certificates
  3. The intermediate RSA certificate typically must be added to the Certificate Store. Open the path Certificates - Local Computer ➔ Intermediate Certification Authorities ➔ Certificates§

    Intermediate Certification Authorities Certificates