Host data collection fails with certificate signed by unknown authority error - Support and Troubleshooting

Host data collection fails with certificate signed by unknown authority error Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Resolve host data collection failures when asset validation fails due to a missing DigiCert CA certificate on the agent host. This issue occurs when the certificate used to validate assets cannot be verified against the host operating system's trust store.

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The check result shows the following error:

"error getting assets for check: couldn't verify asset (skipped fetching certificates and retrying): Could not determine a valid CA signed certificate to verify signature, aborting Asset signature verification"

Agent logs show the following errors:

[x509: certificate signed by unknown authority] [certificate] certificate validation failed

[certificate validation failed: x509: certificate signed by unknown authority] Certificate validation failed for C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2025.cer

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All supported releases

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Asset validation fails because the certificate chain is not trusted by the agent.

The certificate used to validate the asset is located in the agent's config\cert folder:

C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2025.cer

ServiceNow's code signing certificate is signed by DigiCert, a public certificate authority. The agent checks the certificate chain against the host operating system's trust store.

An example error from agent logs:

2025-05-07T13:22:32.89 [ERROR] [asset-manager] [certificate validation failed: x509: certificate signed by unknown authority] Certificate validation failed for C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2025.cer &#13; 2025-05-07T13:22:32.89 [DEBUG] [agent] [certificate] Validating the certificate [C:\ProgramData\ServiceNow\agent-client-collector\config\cert\servicenow\SNCertificate_2028.cer] against the trust store &#13;

This error indicates the DigiCert root CA is not trusted.

Windows includes DigiCert root certificates by default. However, if the affected machine has automated CA updates disabled through group policy ("Turn off Automatic Root Certificates Update"), the root certificate required for validation may not be present.

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Enable the group policy for Automatic Root Certificate Update. If this must be disabled due to security policies, import the DigiCert CA certificate into the affected machines using one of the following methods.

Download the certificate 1. Download DigiCert Trusted Root G4 from the certificate authority's website: https://cacerts.digicert.com/DigiCertTrustedRootG4.crt

2. Import the CA certificate into the Windows Trusted Root Certification Authorities certificate store using one of the following methods.

Method 1: Distribute using group policy (automated)

Use group policy to distribute the CA certificate to multiple machines automatically. For detailed instructions, see Distribute Certificates to Client Computers by Using Group Policy .

Note : This document is written for distributing an ADFS certificate, but the same steps apply to distribute DigiCertTrustedRootG4.crt.

Method 2: GUI method (manual)

This method requires an administrator to perform these steps on each machine:

Right-click the DigiCertTrustedRootG4.crt file and select Install Certificate . Set the store location to Local Machine and select Next . Select Place all certificates in the following store and use the Browse button to select Trusted Root Certification Authorities , and then select Next . Select Finish to complete the import. An "Import is successful" message appears.

Method 3: Command line method (can be automated)

This method can be performed on each affected machine or automated through scripting:

Place the certificate file in an accessible location, for example: C:\DigiCertTrustedRootG4.crt Open PowerShell as an administrator. Right-click, and select Open as Administrator. Run the following command to import the certificate. Modify the path to DigiCertTrustedRootG4.crt as needed: Import-Certificate -FilePath "C:\DigiCertTrustedRootG4.cer" -CertStoreLocation cert:\\LocalMachine\Root

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } How Asset Validation Works