After renewing Symantec Internet Gateway certificate following documentation step by step, clients are not able to communicate with the error:
Certificate Verification: Error (20): unable to get local issuer certificate
Certificate Verification: Error (20): unable to get local issuer certificate
ITMS 8.1 RU7, 8.x
The message is a little misleading in this situation. While the error is logged on clients, it was the Internet Gateway missing the correct trust chain certificate to validate clients side certificate.
The new Agent CA certificate on Internet Gateway (IGW) located at "Program Files\Symantec\SMP Internet Gateway\Apache\certs" was not updated because of the CRL parsing was hanged (known issue), in which IGW user interface was not loading servers information.
Note:
With 8.5 Release and later this path is not longer accurate. Take a look at:
"Program Files\Symantec\SMP Internet Gateway\certs"
"Program Files\Symantec\SMP Internet Gateway\crl"
As a workaround, remove the CRL from SMP server after exporting it as a backup, then remove the notification server from IGW, then re-add it.