When importing a certificate exception into Symantec Endpoint Protection Manager (SEPM), you receive an error that the certificate is not valid.  SEPM 14.0 RU1 and newer has the ability to make exclusions based on a file’s certificate, for example, the digital certificate that the file was signed with.

This functionality can be found at SEPM > Policies > Exceptions > Edit the policy > Exceptions > Add > Windows Exceptions > Certificate

Note: You can only add a certificate exception in SEPM if it is unenrolled from the cloud portal. If SEPM is enrolled, use the cloud portal to add or manage a certificate exception.

Error: "Cannot read this certificate file, please choose a valid certificate"

Using an older certificate template that does not support latest operating systems that are being used in the environment.  SEPM is looking for a certificate with newer formatting.  Issue will also occur if the subject of the certificate does not contain the Common Name (CN).

Customers have resolved this issue by creating a certificate from a newer certificate template that supports latest operating systems that are being used in the environment.

For more information about certificate templates, see Microsoft article: Administering Certificate Templates

Verify CN is present in the subject of the certificate.