During the PGP Encryption Desktop client enrollment and during any subsequent connections between the client and the PGP Encryption Server, a pop-up alert regarding an Invalid Server Certificate is observed:
If "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.
Potential Cause 1: The client does not trust the certificate chain presented by the PGP Encryption Server.
Potential Cause 2: If you are using an internal CA to sign your CSR from the PGP Encryption Server, and you have not trusted the Root certificate globally, the client can still produce a popup. Even if you add the root into your "Trusted Root Certification Authorities", this may not be enough. If your domain policy requires it, you may need to trust the certificate signer specifically in your GPO before the pop-up will go away.
Aside from clicking on "Always allow", there are several other options available so that end users are not presented with the invalid certificate alert:
Important Note: PGP Encryption Desktop 10.5 had an issue where none of the below options would work.
This behavior has been found to be resolved with PGP Encryption Desktop 10.5 MP2. Symantec Enterprise Support recommends you to upgrade to ensure best performance for this issue.
Option 1 - Import the certificates in the certificate chain used by the PGP Encryption Server to the "Trusted Root Certification Authorities" and/or "Intermediate Certification Authorities" of the Windows Certificate Store of each client.
It is vital that before installing a server certificate in the PGP Encryption Server, the root and any intermediate certificates in the chain are imported to the SEMS Trusted Keys (Keys / Trusted Keys) menu of the administration console. This applies whether a third party Certificate Authority or an internal Certificate Authority has issued the server certificate. If an internal Certificate Authority issued the server certificate, it is likely that the root and intermediate certificates would already have been added to each client machine's Windows Certificate Store.
TIP 1: Check the Root, and Intermediate Certificates being used, and make note of the Thumbprint/Fingerprint and make sure those are included in the Trusted Keys before you build the client package. This will ensure any additional certs added will be included.
TIP 2: Check the Root, and Intermediate Certificates being used, and make sure these are trusted by your domain GPO. Consult with your AD Domain Admin to verify this is all configured properly.
Option 2 - Copy the PGPtrustedcerts.asc
file that contains the correct certificate chain from one client to all clients. The correct folder is "%ProgramData%\PGP Corporation\PGP"
.
TIP: Import this file to a standalone PGP Encryption Desktop client where you can manually validate the certificates associated to PGPtrustedcerts.asc are the correct/expected certificates.
Option 3 - When downloading the PGP Encryption Desktop installation package (*.msi file) from the PGP Encryption Server, the list of trusted certificates is automatically built-in to the package and included in a file called PGPtrustedcerts.asc
. Therefore upgrading clients will prevent the certificate warning from appearing. However, under certain circumstances the PGPtrustedcerts.asc file may not be included in the *.msi file. Please see the following article for further details:
172547 - Missing PGPtrustedcerts.asc file in PGP Encryption Desktop client installer
NOTE: All the previous options are recommended over this and this option should be tried only if absolutely necessary.
EPG-23661
It is a good idea to get the certificates configured properly so the invalid cert warning does not appear. Symantec does not recommend telling users to click "always allow" as this could train the user into clicking allow on future "invalid cert" popups, which could appear due to malicious intent.
To ensure that PGP Encryption Desktop does not connect to an untrusted server certificate, you can update a preference called treatUntrustedConnectionAsOffline
in the user's policy. With this policy enabled, clients will not connect to an untrusted server certificate and the user will not be warned so they will not be given the option to override the warning. Note that a warning will be written to the PGP Encryption Desktop log file.
To update the treatUntrustedConnectionAsOffline
policy preference do the following from the PGP Encryption Server admin console:
treatUntrustedConnectionAsOffline
Boolean
(this is the default).true
To reverse this change, repeat the above steps but in step 8 set the value to false
.
172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long)