During the Encryption Desktop client enrollment and during any subsequent connections between the client and the Encryption Management Server, a pop-up alert regarding an Invalid Server Certificate is observed:
If "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.
The client does not trust the certificate chain presented by Encryption Management Server.
Aside from clicking on "Always allow", there are several other options available so that end users are not presented with the invalid certificate alert:
Option 1 - Import the certificates in the certificate chain used by Encryption Management Server to the "Trusted Root Certification Authorities" and/or "Intermediate Certification Authorities" of the Windows Certificate Store of each client. See article TECH200530 for more information on this method, particularly on how to accomplish this using Group Policy. This method is the most straightforward and reliable, particularly if the Encryption Management Server certificate has expired and been renewed. It is vital that before installing a server certificate in Encryption Management Server, the root and any intermediate certificates in the chain are imported to Encryption Management Server through the Keys / Trusted Keys menu of the administration console. This applies whether a third party or internal Certificate Authority has issued the server certificate. If an internal Certificate Authority is used, it is highly likely that all clients will already have the root and intermediate certificates in their Windows Certificate Store.
Option 2 - When downloading the Encryption Desktop installation package (*.msi file) from Encryption Management Server, the list of trusted certificates is automatically built-in to the package and included in a file called "PGPtrustedcerts.asc". Therefore upgrading clients will prevent the certificate warning from appearing.
Option 3 - Copy a PGPtrustedcerts.asc file that contains the correct certificate chain from one client to all clients. The correct folder is:
Windows Vista/Windows 7: C:\Program Data\PGP Corporation
Windows XP: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
Option 5 - Manually include the PGPtrustedcerts.asc file in the .msi file (post client install creation on Encryption Management Server). For more information on this method, please see TECH190946.
Imported Document Id