During the Encryption Desktop client enrollment and during any subsequent connections between the client and the Encryption Management Server, a pop-up alert regarding an Invalid Server Certificate is observed:
If "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.
Symantec Encryption Desktop 10.4 and above.
Symantec Encryption Management Server 3.4 and above.
The client does not trust the certificate chain presented by Encryption Management Server.
Aside from clicking on "Always allow", there are several other options available so that end users are not presented with the invalid certificate alert:
Option 1 - Import the certificates in the certificate chain used by Encryption Management Server to the "Trusted Root Certification Authorities" and/or "Intermediate Certification Authorities" of the Windows Certificate Store of each client. Please see article TECH200530 for more information on this method, particularly on how to accomplish this using Windows Group Policy. This method is the most straightforward and reliable, particularly if the Encryption Management Server certificate has expired and been renewed. It is vital that before installing a server certificate in Encryption Management Server, the root and any intermediate certificates in the chain are imported to Encryption Management Server through the Keys / Trusted Keys menu of the administration console. This applies whether a third party Certificate Authority or an internal Certificate Authority has issued the server certificate. If an internal Certificate Authority issued the server certificate, it is likely that the root and intermediate certificates would already have been added to each client machine's Windows Certificate Store.
Option 2 - When downloading the Encryption Desktop installation package (*.msi file) from Encryption Management Server, the list of trusted certificates is automatically built-in to the package and included in a file called PGPtrustedcerts.asc. Therefore upgrading clients will prevent the certificate warning from appearing. However, under certain circumstances the PGPtrustedcerts.asc file may not be included in the *.msi file. Please see article TECH149211 for further details.
Option 3 - Copy a PGPtrustedcerts.asc file that contains the correct certificate chain from one client to all clients. The correct folder is "%ProgramData%\PGP Corporation\PGP".
Option 4 - Manually include the PGPtrustedcerts.asc file in the downloaded *.msi file. For more information on this method, please see article TECH190946.
It is good practice to prevent clients connecting to an untrusted server certificate and not allow the user to override the warning. This can mitigate against the possibility of an attack that involves one of the following:
DNS being hijacked to point Encryption Desktop to a malicious host.
Proxy settings being hijacked to point Encryption Desktop to a malicious host.
The local hosts file on the client being updated to point Encryption Desktop to a malicious host.
The Windows registry on the client being updated to point Encryption Desktop to a malicious host.
To ensure that Encryption Desktop does not connect to an untrusted server certificate, you can update a preference called treatUntrustedConnectionAsOffline in the user's policy. With this policy enabled, clients will not connect to an untrusted server certificate and the user will not be warned so they will not be given the option to override the warning. Note that a warning will be written to the Encryption Desktop log file.
To update the treatUntrustedConnectionAsOffline policy preference do the following from the Encryption Management Server admin console:
Click on Consumers / Consumer Policy.
Click on the name of the policy you wish to change.
Click on the Edit button from the General section.
Click on the Edit Preferences button from the Edit XML Preferences section.
Ensure the radio button next to the Set option is enabled (this is the default).
In the Pref Name text box add the following: treatUntrustedConnectionAsOffline
Ensure the type is set to Boolean (this is the default).
In the Value text box add the following: true
Click the Save button.
Click the Cancel button to return to the previous page.
Click the Save button to save the policy.
To reverse this change, repeat the above steps but in step 8 set the value to false.
Imported Document ID: TECH149211
Subscribing will provide email updates when this Article is updated. Login is required.