Authentication certificate not valid pop-up displayed when connecting to Encryption Management Server

book

Article ID: 153347

calendar_today

Updated On:

Products

Drive Encryption Encryption Management Server

Issue/Introduction

During the Encryption Desktop client enrollment and during any subsequent connections between the client and the Encryption Management Server, a pop-up alert regarding an Invalid Server Certificate is observed:

Certificate alert

If "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.

 

 

Cause

Potential Cause 1: The client does not trust the certificate chain presented by Encryption Management Server.

Potential Cause 2: If you are using an internal CA to sign your CSR from Symantec Encryption Management Server, and you have not trusted the Root certificate globally, the client can still produce a popup.  Even if you add the root into your "Trusted Root Certification Authorities", this may not be enough.  If your domain policy requires it, you may need to trust the certificate signer specifically in your GPO before the pop-up will go away. 

Resolution

Aside from clicking on "Always allow", there are several other options available so that end users are not presented with the invalid certificate alert:

Important Note: Symantec Encryption Desktop 10.5 had an issue where none of the below options would work.  This behavior has been found to be resolved with SED 10.5 MP2.  Symantec Enterprise Support recommends you to upgrade to ensure best performance for this issue. 

 

 

Option 1 - Import the certificates in the certificate chain used by Encryption Management Server to the "Trusted Root Certification Authorities" and/or "Intermediate Certification Authorities" of the Windows Certificate Store of each client.

It is vital that before installing a server certificate in the Symantec Encryption Management Server, the root and any intermediate certificates in the chain are imported to the SEMS Trusted Keys (Keys / Trusted Keys) menu of the administration console. This applies whether a third party Certificate Authority or an internal Certificate Authority has issued the server certificate. If an internal Certificate Authority issued the server certificate, it is likely that the root and intermediate certificates would already have been added to each client machine's Windows Certificate Store.

TIP 1: Check the Root, and Intermediate Certificates being used, and make note of the Thumbprint/Fingerprint and make sure those are included in the Trusted Keys before you build the client package.  This will ensure any additional certs added will be included.  

TIP 2: Check the Root, and Intermediate Certificates being used, and make sure these are trusted by your domain GPO.  Consult with your AD Domain Admin to verify this is all configured properly. 

 

 

Option 2 - Copy the PGPtrustedcerts.asc file that contains the correct certificate chain from one client to all clients. The correct folder is "%ProgramData%\PGP Corporation\PGP".

TIP: Import this file to a standalone SED client where you can manually validate the certificates associated to PGPtrustedcerts.asc are the correct/expected certificates.


Option 3 - When downloading the Encryption Desktop installation package (*.msi file) from Encryption Management Server, the list of trusted certificates is automatically built-in to the package and included in a file called PGPtrustedcerts.asc. Therefore upgrading clients will prevent the certificate warning from appearing. However, under certain circumstances the PGPtrustedcerts.asc file may not be included in the *.msi file. Please see the following article for further details:

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer


Option 4 - Manually include the PGPtrustedcerts.asc file in the downloaded *.msi file. For more information on this method, please see the following article:

156600 - Manually add PGPtrustedcerts.asc to the Symantec Encryption Desktop installer (MSI) using Orca

NOTE: All the previous options are recommended over this and this option should be tried only if absolutely necessary. 

 

Additional Information

EPG-23661

 

It is a good idea to get the certificates configured properly so the invalid cert warning does not appear.  Symantec Enterprise Division recommends this over telling users to click "always allow" as this could train the user into clicking allow on future "invalid cert" popups, which could appear due to malicious intent. 

To ensure that Encryption Desktop does not connect to an untrusted server certificate, you can update a preference called treatUntrustedConnectionAsOffline in the user's policy. With this policy enabled, clients will not connect to an untrusted server certificate and the user will not be warned so they will not be given the option to override the warning. Note that a warning will be written to the Encryption Desktop log file.

To update the treatUntrustedConnectionAsOffline policy preference do the following from the Encryption Management Server admin console:

  1. Click on Consumers / Consumer Policy.
  2. Click on the name of the policy you wish to change.
  3. Click on the Edit button from the General section.
  4. Click on the Edit Preferences button from the Edit XML Preferences section.
  5. Ensure the radio button next to the Set option is enabled (this is the default).
  6. In the Pref Name text box add the following: treatUntrustedConnectionAsOffline
  7. Ensure the type is set to Boolean (this is the default).
  8. In the Value text box add the following: true
  9. Click the Save button.
  10. Click the Cancel button to return to the previous page.
  11. Click the Save button to save the policy.

To reverse this change, repeat the above steps but in step 8 set the value to false.

 

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long)

156600 - Manually add PGPtrustedcerts.asc to the Symantec Encryption Desktop installer (MSI) using Orca

157432 - Encryption Desktop prompts user that the server certificate is not valid

Attachments