Revoked Certificate Preventing Install
This past week, I battled to install Microsoft Dynamics CRM (MSCRM) for almost 6 hours. I’ve done countless attempts and fought every problem, so believe me when I say this is such an odd event in my life these days that it actually is enjoyable trying to figure out the problem. Now, normal MSCRM install issues happen either at the Environmental Diagnostic Wizard stage or during the actual install. This happened much earlier—in fact, when I tried to add a license key.
When adding the key and hitting Add, I got a dialog saying:
The specified license is invalid.
For additional details, see logfile: C:\Documents and Settings\XXX\Application Data\Microsoft\MSCRM\Logs\crm30svrsetup.log
Odd—but maybe it was wrong. I tried it a few times and thought, "Well, I’ll just pop on my trusty 90-day trial to get up and running and deal with Microsoft about issuing a new key." Guess what? The trial key failed too.
I’m not posting this on my IW blog (see right bar) because it’s more than just an MSCRM issue. Then I thought maybe something in the OS was wrong, so I installed all the patches and rebooted. One of the patches was Internet Explorer 7, which also refused to install with the error:
Setup could not verify the integrity of the installation files. Make sure the Cryptographic service is running on this computer.
What now? I tried numerous articles and suggestions gleaned from the internet, including a Microsoft KB article (822798)—which, shockingly, lists reinstalling Windows as an option (no, I didn’t do that; this box is running other applications just fine).
But here’s what I learned: All Microsoft software is digitally signed, but if something goes wrong with the certificates on the machine, it borks the installation of those applications. MSCRM, in my mind, had the same problem—since it (I assume) uses digital certs to perform a CRC (or similar) check on the license key.
What was interesting was that all the certificates were 100% fine, but if I right-clicked on the MSCRM install MSI file and checked it, it kept saying the certificate had been revoked. Odd? Because it wasn’t revoked on my machine or any other machine. And if Microsoft revoked a certificate like this, why wouldn’t I know about it? Hell, why are they still shipping IE with it? Something was clearly wrong.
What I found was a rogue revoked certificate installed—where it came from, I don’t know, but it was there. To remove it, I opened IE 6, went to the Tools Menu → Internet Options, then on the Content tab clicked Certificates, and on the last tab (Untrusted Publishers), I was able to see the rogue certificate and remove it. After that, everything installed fine.
Now, just a side thought on this: Microsoft recommends digitally signing all software. So if I were an anti-virus company or security company that took this seriously, I would not only sign the install of the software but also the runtimes and update definitions. The downside? If a virus/trojan could install a revoked certificate (not sure what privileges you’d need on XP, but I guess this is a UAC-controlled operation on Vista), it could bork all your security. Scary how one file can do that.
Update (13 Feb 2008): Trust me to have the wrong link for that Microsoft KB article, then send it to a client as the solution to their problem. DOH! Fixed now.