During the Symantec Encryption Desktop client enrollment and during any subsequent connections between the client and the Symantec Encryption Management Server, a pop-up alert regarding an Invalid Server Certificate is observed.
If you "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.
Upon connection the (silent) enrollment, the Universal Server identifies itself to the PGP Desktop-client with an untrusted certificate.
Aside from clicking on "Always allow" during the certificate alert, there are several other options available so that end users are not presented with the invalid certificate alert:
Option 1- Import the SSL certificate of Symantec Encryption Management Server to the "Trusted Root Authorities" of the Microsoft Certificate Store. See article TECH200530 for more information on this method.
Option 2 - If an Internal Certificate Authority is being used for the environment, a Certificate Signing Request for Symantec Encryption Management Server can be generated. Once the CSR process is completed, the certificate can then be assigned to the network interface in order to prevent the invalid cert alert from displaying. Due the certificate chain model, the client will then transitively trust Symantec Encryption Management Server as the trusted Internal Root CA is already trusted locally or within GPO. Ensure that both the Root and Intermediate CA certificates are imported into the list of Trusted Keys on Symantec Encryption Management Server before assigning the certificate to the network interface. This ensures that the complete certificate chain is generated which is then presented to the client. Once these certificates are in Trusted Keys, under the System\Network page, click "Save".
Alternatively, if the certificate is already assigned, or the chain isn't being built, but the Intermediate and Root certificates are now listed in Trusted Keys, running the following command via SSH will build the certificate chain properly on Symantec Encryption Management Server:
Note: For information on how to configure SSH access for SEMS, see TECH149673.
Option 3 - When downloading the SED installation package (.msi) from Symantec Encryption Management Server, the list of trusted certificates is automatically built-in to the client and included in a file called "PGPtrustedcerts.asc". If a self-signed certificate is being used and is acceptable within the security policy, it is possible to suppress the warning by building in the self-signed certificate to the client installation package. To disable the Invalid Certificate alert, the Symantec Encryption Management Server certificate (From System\Network\Certificates) can be imported to list of Trusted Keys. Once this is done, run the following command, and create a new SED client (From Consumers\Group Policy):
Option 4 - It is also possible to build the certificate into the PGPtrustedcerts.asc file, and then subsequently deploy it to other clients.
To do this, use the following steps:
- Login to the Symantec Encryption Management Server administrative interface.
- Click the System card and select the Network tab.
- Click the Certificates button.
- Select the name of the certificate that you want to trust. The Certificate Info for the certificate is displayed.
- Click the Export... button. The Export Certificate dialog screen appears.
- To export the public key portion of the certificate, select Export Public Key.
- Click Export.
- At the prompt, click Save.
- Specify a name and location to save the file, then click Save.
- Copy and paste the exported .pem file to a system with SED installed.
- Double-click the .pem file. and select Import.
- Open SED and locate the imported key in PGP Keys.
- Right-click the key and select Export...
- Save the file as PGPtrustedcerts.asc.
The certificate is now ready to distribute to the other managed clients.
- Copy the file PGPtrustedcerts.asc to the following folder for your operating system:
Windows XP: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
Windows Vista/Windows 7: C:\Program Data\PGP Corporation
After importing the certificate, the Invalid Certificate Alert will no longer be displayed.
Option 5 - Manually including the PGPtrustedcerts.asc file in the .msi file (post client install creation on SEMS). For more information on this method, please see KB TECH190946.
Mac OS X System Behavior with Self-Signed Certificate Suppression and Symantec Encryption Management Server:
Historically, the functionality from Item four listed above has never been a part of the SED client for Mac operating system and even after importing the self-signed certificate, and re-downloading the client, the certificate warning would continue to display.
Starting with Symantec Encryption Desktop 10.3 for Mac OS X, this certificate warning for self-signed certificates will now be suppressed after following option four above. Once the self-signed certificate is exported from System > Network > Certificates on Symantec Enterprise Management Server (formerly known as PGP Universal Server) and imported into Trusted Keys, and then re-downloading the Mac OS X customized client from Symantec Encryption Management Server, the Invalid Certificate Alert should now be suppressed.