Authentication certificate not valid pop-up displayed when connecting to the PGP Encryption Server
search cancel

Authentication certificate not valid pop-up displayed when connecting to the PGP Encryption Server

book

Article ID: 153347

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption Policy Based Encryption Desktop Email Encryption

Issue/Introduction

During the PGP Encryption Desktop client enrollment and during any subsequent connections between the client and  the PGP Encryption Server, a pop-up alert regarding an Invalid Server Certificate is observed:



If "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.

 

 

Cause

Potential Cause 1: The client does not trust the certificate chain presented by the PGP Encryption Server.

Potential Cause 2: If you are using an internal CA to sign your CSR from the PGP Encryption Server, and you have not trusted the Root certificate globally, the client can still produce a popup.  Even if you add the root into your "Trusted Root Certification Authorities", this may not be enough.  If your domain policy requires it, you may need to trust the certificate signer specifically in your GPO before the pop-up will go away. 

Resolution

Aside from clicking on "Always allow", there are several other options available so that end users are not presented with the invalid certificate alert:

Important Note: PGP Encryption Desktop 10.5 had an issue where none of the below options would work.  This behavior has been found to be resolved with PGP Encryption Desktop 10.5 MP2.  Symantec Enterprise Support recommends you to upgrade to ensure best performance for this issue. 

 

 

Option 1 - Import the certificates in the certificate chain used by the PGP Encryption Server to the "Trusted Root Certification Authorities" and/or "Intermediate Certification Authorities" of the Windows Certificate Store of each client.

It is vital that before installing a server certificate in the PGP Encryption Server, the root and any intermediate certificates in the chain are imported to the SEMS Trusted Keys (Keys / Trusted Keys) menu of the administration console. This applies whether a third party Certificate Authority or an internal Certificate Authority has issued the server certificate. If an internal Certificate Authority issued the server certificate, it is likely that the root and intermediate certificates would already have been added to each client machine's Windows Certificate Store.

TIP 1: Check the Root, and Intermediate Certificates being used, and make note of the Thumbprint/Fingerprint and make sure those are included in the Trusted Keys before you build the client package.  This will ensure any additional certs added will be included.  

TIP 2: Check the Root, and Intermediate Certificates being used, and make sure these are trusted by your domain GPO.  Consult with your AD Domain Admin to verify this is all configured properly. 

 

 

Option 2 - Copy the PGPtrustedcerts.asc file that contains the correct certificate chain from one client to all clients. The correct folder is "%ProgramData%\PGP Corporation\PGP".

TIP: Import this file to a standalone PGP Encryption Desktop client where you can manually validate the certificates associated to PGPtrustedcerts.asc are the correct/expected certificates.


Option 3 - When downloading the PGP Encryption Desktop installation package (*.msi file) from  the PGP Encryption Server, the list of trusted certificates is automatically built-in to the package and included in a file called PGPtrustedcerts.asc. Therefore upgrading clients will prevent the certificate warning from appearing. However, under certain circumstances the PGPtrustedcerts.asc file may not be included in the *.msi file. Please see the following article for further details:

172547 - Missing PGPtrustedcerts.asc file in PGP Encryption Desktop client installer


Option 4 - Manually include the PGPtrustedcerts.asc file in the downloaded *.msi file. For more information on this method, please see the following article:

156600 - Manually add PGPtrustedcerts.asc to the PGP Encryption Desktop installer (MSI) using Orca

NOTE: All the previous options are recommended over this and this option should be tried only if absolutely necessary. 

 

Additional Information

EPG-23661

It is a good idea to get the certificates configured properly so the invalid cert warning does not appear.  Symantec does not recommend telling users to click "always allow" as this could train the user into clicking allow on future "invalid cert" popups, which could appear due to malicious intent.

To ensure that PGP Encryption Desktop does not connect to an untrusted server certificate, you can update a preference called treatUntrustedConnectionAsOffline in the user's policy. With this policy enabled, clients will not connect to an untrusted server certificate and the user will not be warned so they will not be given the option to override the warning. Note that a warning will be written to the PGP Encryption Desktop log file.

To update the treatUntrustedConnectionAsOffline policy preference do the following from  the PGP Encryption Server admin console:

  1. Click on Consumers / Consumer Policy.
  2. Click on the name of the policy you wish to change.
  3. Click on the Edit button from the General section.
  4. Click on the Edit Preferences button from the Edit XML Preferences section.
  5. Ensure the radio button next to the Set option is enabled (this is the default).
  6. In the Pref Name text box add the following: treatUntrustedConnectionAsOffline
  7. Ensure the type is set to Boolean (this is the default).
  8. In the Value text box add the following: true
  9. Click the Save button.
  10. Click the Cancel button to return to the previous page.
  11. Click the Save button to save the policy.

To reverse this change, repeat the above steps but in step 8 set the value to false.

180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server (PGP Server)

270245 - Certificate Warning after upgrading to PGP Server 10.5.1 MP2 or above stating the certificate is untrusted

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long)

153347 - Authentication certificate not valid pop-up displayed when connecting to Encryption Management Server

157432 - PGP Desktop prompts user that the server certificate is not valid (Symantec Encryption Desktop)