Agent Client Collector - Asset Certificate Validation Failed causing host data collection failureIssue Host Data Collection fails because of Asset Validation failure.SymptomsWhen reviewing the check result shows : "error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying): Could not determine a valid CA signed certificate to verify signature, aborting Asset signature verification" Agent Logs shows : [x509: certificate signed by unknown authority] [certificate] certificate validation failed[certificate validation failed: x509: certificate signed by unknown authority] Certificate validation failed for C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2025.cerReleaseAllCauseAsset Validation has failed. From agent logs , we can see the reason for Asset Validation failure as - certificate signed by unknown authority The certificate used to validate the asset is present in agent's config\cert folder C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2025.cerServiceNow's code signing certificate is signed by a public CA - Digicert. An example error looks like below from Agent logs : 2025-05-07T13:22:32.89 [ERROR] [asset-manager] [certificate validation failed: x509: certificate signed by unknown authority] Certificate validation failed for C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2025.cer 2025-05-07T13:22:32.89 [DEBUG] [agent] [certificate] Validating the certificate [C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2028.cer] against the trust store This error means that the certificate chain is not trusted by the agent The certificate chain is checked against the host OS truststore In the above example, we see that it does not trust the DigiCert root CA. Windows includes Digicert root certificates by default however if affected machine have had their automated CA update disabled by means of group policy ("Turn off Automatic Root Certificates Update") then the root certificate required for validation may not be present.ResolutionEnable group policy for Automatice Root Certificate Update. If it needs to be disabled due to security policies an import of the Digicert CA into the affected machines will be required using the instructions mentioned below. 1.Download "DigiCert Trusted Root G4" from the CA's website https://cacerts.digicert.com/DigiCertTrustedRootG4.crt2. Import the CA certificate into the Windows Trusted Root Certification Authorities certificate store.To Import the Certs use one of the below options : 1. Distribute the CA certificate using group policy (automated using group policy): https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/distribute-certificates-to-client-computers-by-using-group-policyNote: document is written in the context of distributing an ADFS cert but the same steps apply to distribute DigiCertTrustedRootG4.crt2. GUI method (manual, would need to be done by an Admin on each machine):Right click the DigiCertTrustedRootG4.crt file and select 'Install Certificate'Set store location to 'Local Machine' and click nextSelect 'Place all certificates in the following store' and use the 'Browse...' button to select 'Trusted Root Certification Authorities' then click NextPress Finish to complete the import. Prompt appears 'Import is successful'3. CLI method (needs to be done on each affected machine but could be automated):Drop the certificate file in an accessible location, e.g C:\DigiCertTrustedRootG4.crtOpen Powershell as an Administrator (right click, 'Open as Administrator')Run the following line to import the cert, you'll need to change the path to DigiCertTrustedRootG4.crt as needed (see step #1)Import-Certificate -FilePath "C:\DigiCertTrustedRootG4.cer" -CertStoreLocation cert:\\LocalMachine\RootRelated LinksRefer to the below KB & section on how are assets downloaded to the agent How Asset Validation Works