After renewing Symantec Internet Gateway certificate following documentation step by step, clients are not able to communicate with the error:

Certificate Verification: Error (20): unable to get local issuer certificate

Certificate Verification: Error (20): unable to get local issuer certificate

ITMS 8.1 RU7, 8.x

The message is a little misleading in this situation. While the error is logged on clients, it was the Internet Gateway missing the correct trust chain certificate to validate clients side certificate.

The new Agent CA certificate on Internet Gateway (IGW) located at "Program Files\Symantec\SMP Internet Gateway\Apache\certs" was not updated because of the CRL parsing was hanged (known issue), in which IGW user interface was not loading servers information.

Note:
With 8.5 Release and later this path is not longer accurate. Take a  look at:
"Program Files\Symantec\SMP Internet Gateway\certs"
"Program Files\Symantec\SMP Internet Gateway\crl"

As a workaround, remove the CRL from SMP server after exporting it as a backup, then remove the notification server from IGW, then re-add it.

• Open mmc console, add Certificates snap-in, for "Computer account"
• Browse to "Trusted Root Certification Authorities", "Certificate Revocation List" then remove SMP CA CRL from there after exporting it as a backup.
• Repeat the same for "Intermediate certification Authorities", "Certificate Revocation List" if applicable
• On SMP Internet Gateway server. stop "Symantec Management Platform Internet Gateway" service, and close IGW user interface.
• Browse to "Program Files\Symantec\SMP Internet Gateway\Apache\certs\crl", then delete CRL files.
  Note:
  With 8.5 Release this path is not longer accurate. Take a  look at:
  "Program Files\Symantec\SMP Internet Gateway\certs"
  "Program Files\Symantec\SMP Internet Gateway\crl"
• Open IGW user interface, remove then re-add the Notification Server. (A refresh only might be sufficient, though re-adding is a precautious step)