id summary reporter owner description type status priority milestone component version severity resolution keywords cc 341 TAP-Windows installation failed, probably because of not trusted root certificate MiCRoPhoBIC "I have tried to install the latest OpenVPN (openvpn-install-2.3.2-I003-i686.exe) on Windows 7 Professional (64bit) but it fails on the TAP-Windows step. I have tried to run manually the tap-windows install by getting the latest version from here: http://build.openvpn.net/downloads/releases/tap-windows-9.9.2_3.exe but the result was the same. After observing the setupapi.dev.log it looks like there is some problem with verifying the certificate chain against the trusted root certificates. {{{ >>> [Device Install (UpdateDriverForPlugAndPlayDevices) - tap0901] >>> Section start 2013/10/21 12:16:28.272 cmd: ""C:\Program Files\TAP-Windows\bin\devcon.exe"" install ""C:\Program Files\TAP-Windows\driver\OemWin2k.inf"" tap0901 dvi: Set selected driver complete. dvi: {Build Driver List} 12:16:28.288 cpy: Policy is set to make all digital signatures equal. dvi: Processing a single INF: 'c:\program files\tap-windows\driver\oemwin2k.inf' inf: Opened INF: 'c:\program files\tap-windows\driver\oemwin2k.inf' ([strings]) sig: {_VERIFY_FILE_SIGNATURE} 12:16:28.288 sig: Key = oemwin2k.inf sig: FilePath = c:\program files\tap-windows\driver\oemwin2k.inf sig: Catalog = c:\program files\tap-windows\driver\tap0901.cat ! sig: Verifying file against specific (valid) catalog failed! (0x800b0109) ! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 12:16:28.397 sig: {_VERIFY_FILE_SIGNATURE} 12:16:28.397 sig: Key = oemwin2k.inf sig: FilePath = c:\program files\tap-windows\driver\oemwin2k.inf sig: Catalog = c:\program files\tap-windows\driver\tap0901.cat sig: Success: File is signed in Authenticode(tm) catalog. sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 12:16:28.412 dvi: Created Driver Node: dvi: HardwareID - tap0901 dvi: InfName - c:\program files\tap-windows\driver\oemwin2k.inf dvi: DevDesc - TAP-Windows Adapter V9 dvi: DrvDesc - TAP-Windows Adapter V9 dvi: Provider - TAP-Windows Provider V9 dvi: Mfg - TAP-Windows Provider V9 dvi: ModelsSec - tap0901.NTamd64 dvi: InstallSec - tap0901.ndi dvi: ActualSec - tap0901.ndi dvi: Rank - 0x00ff0000 dvi: Signer - OpenVPN Technologies, Inc. dvi: Signer Score - Authenticode dvi: DrvDate - 07/02/2012 dvi: Version - 9.0.0.9 ....cut.... sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE} 12:16:29.083 inf: Opened INF: 'C:\Windows\System32\DriverStore\Temp\{153d22cc-b6c7-6407-819f-e253cc223d15}\oemwin2k.inf' ([strings]) sig: {_VERIFY_FILE_SIGNATURE} 12:16:29.083 sig: Key = oemwin2k.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{153d22cc-b6c7-6407-819f-e253cc223d15}\oemwin2k.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{153d22cc-b6c7-6407-819f-e253cc223d15}\tap0901.cat ! sig: Verifying file against specific (valid) catalog failed! (0x800b0109) ! sig: Error 0x800b0109: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. sig: {_VERIFY_FILE_SIGNATURE exit(0x800b0109)} 12:16:29.114 sig: {_VERIFY_FILE_SIGNATURE} 12:16:29.114 sig: Key = oemwin2k.inf sig: FilePath = C:\Windows\System32\DriverStore\Temp\{153d22cc-b6c7-6407-819f-e253cc223d15}\oemwin2k.inf sig: Catalog = C:\Windows\System32\DriverStore\Temp\{153d22cc-b6c7-6407-819f-e253cc223d15}\tap0901.cat sig: Success: File is signed in Authenticode(tm) catalog. sig: Error 0xe0000242: The publisher of an Authenticode(tm) signed catalog has not yet been established as trusted. sig: {_VERIFY_FILE_SIGNATURE exit(0xe0000242)} 12:16:29.130 sto: Validating driver package files against catalog 'tap0901.cat'. !!! sto: Driver package signer is unknown and user does not trust the signer. !!! ndv: Driver package failed signature validation. Error = 0xE0000243 sto: {DRIVERSTORE_IMPORT_NOTIFY_VALIDATE exit(0xe0000243)} 12:16:29.442 !!! sto: Driver package failed signature verification. Error = 0xE0000243 !!! sto: Failed to import driver package into Driver Store. Error = 0xE0000243 sto: {Stage Driver Package: exit(0xe0000243)} 12:16:29.442 !!! sto: Failed to stage driver package to Driver Store. Error = 0xE0000243, Time = 530 ms sto: {Import Driver Package: exit(0xe0000243)} 12:16:30.097 inf: Opened INF: 'c:\program files\tap-windows\driver\oemwin2k.inf' ([strings]) ! inf: Add to Driver Store unsuccessful ! inf: Error 0xe0000243: The publisher of an Authenticode(tm) signed catalog was not established as trusted. !!! inf: returning failure to SetupCopyOEMInf inf: {SetupCopyOEMInf exit (0xe0000243)} 12:16:30.409 !!! ndv: Driver Package import failed for new device...installing NULL driver. !!! ndv: Error 0xe0000243: The publisher of an Authenticode(tm) signed catalog was not established as trusted. dvi: {Plug and Play Service: Device Install for ROOT\NET\0000} ump: Creating Install Process: DrvInst.exe 12:16:30.425 ! ndv: Installing NULL driver! dvi: Set selected driver complete. ....cut.... dvi: CoInstaller 1: Enter 12:16:30.456 !!! cci: NdisCoinst: NcipOpenDriverRegistryKey failed with error code 0xe0000204 cci: NdisCoinst: Null driver install dvi: CoInstaller 1: Exit dvi: CoInstaller 2: Enter 12:16:30.456 dvi: CoInstaller 2: Exit dvi: CoInstaller 3: Enter 12:16:30.456 dvi: CoInstaller 3: Exit dvi: Class installer: Enter 12:16:30.456 cci: [NCI BEGIN INSTALL DEVICE for ROOT\NET\0000] cci: NCI: Null driver install. cci: [NCI END INSTALL DEVICE for ROOT\NET\0000] dvi: Class installer: Exit dvi: Default installer: Enter 12:16:30.456 ! dvi: Installing NULL driver! ! dvi: A NULL driver installation is not allowed for this type of device! !!! dvi: Cleaning up failed installation (e0000219) !!! dvi: Default installer: failed! !!! dvi: Error 0xe0000219: The installation failed because a function driver was not specified for this device instance. }}} When I have checked what is the chain and why it failed, by looking at certification chain of tap0901.cat: Digicert -> Digicert High Assurance Code Signing CA-1 -> OpenVPN Technologies, Inc. I wanted to compare the Serial Numbers and Thumbprints of the Digicert root and intermediate certificates, but I found that only the root certificate with such numbers exists on Digicert's website. The Intermediate one I did not found! '''TAP-Windows tap0901.cat file signature:''' {{{ Digicert High Assurane EV Root CA: Valid from: 11/10/2006 to 11/10/2031 Serial: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77 Thumbprint: 5F:B7:EE:06:33:E2:59:DB:AD:0C:4C:9A:E6:D3:8F:1A:61:C7:DC:25 }}} The Root of the chain looks fine, comparing it to Digicert's website: https://www.digicert.com/digicert-root-certificates.htm But the intermediate one IS NOT: {{{ DigiCert High Assurance Code Signing CA-1 Valid from: Serial: 02:C4:D1:E5:8A:4A:68:0C:56:8D:A3:04:7E:7E:4D:5F Thumbprint:E3:08:F8:29:DC:77:E8:0A:F1:5E:DD:41:51:EA:47:C5:93:99:AB:46 }}} Can't find such certificate on their website: https://www.digicert.com/digicert-root-certificates.htm It is very suspicious, because the ""Valid from"" and ""Valid to"" dates are the same, but the used certificate and the one in Digicerts website are having different Serial numbers and Thumbprints. It is even creepier when you search for the Thumbprint E308F829DC77E80AF15EDD4151EA47C59399AB46 in Google... the only results are from virustotal scan reports. I know about the bug with the expired signature (https://community.openvpn.net/openvpn/ticket/321) and I guess that's why it has new signature from August 2013, but I think something is wrong with the chain of trust or maybe with the auto distribution of Root CA of Windows 7? Or compromised certificate, god forbid ;-)" Bug / Defect closed minor release 2.3.4 Installation OpenVPN 2.3.2 (Community Ed) Not set (select this one, unless your'e a OpenVPN developer) worksforme tap, certificate, digicert, root, trust, chain, sign