Sometimes after adding certificates to Trusted Keys and Certificates in Symantec Encryption Management Server, the certificates aren't included in the installer for Symantec Encryption Desktop.
Typically the reason for this is the client is not re-downloaded after the certificate is added. The client needs to be downloaded again after the certificates have been added to Trusted Certificates and Keys. These Certificates are only included in the installer, and are not downloaded later via a policy update.
If after downloading the client again and you are still getting the invalid certificate prompt (see example below) after install, the following solutions may help.
From an SSH session to the Symantec Encryption Management Server, run the following Command after ensuring all Root and Intermediate certificates have been imported into Trusted Keys:
This will build in the appropriate certificates to the client package again with the proper certificates in the installer.
Note: For information on how to configure SSH access for Symantec Encryption Management Server, see TECH149673.
Orca - Included in the development SDK for Windows 7.
Steps to prepare the certificate for adding to the MSI file:
Import into MSI file using Orca:
Now use the new installer to install Symantec Encryption Desktop. After installation you should not see the Invalid Certificate prompt.
The following location should contain a PGPtrustedcerts.asc file:
NOTE: For more information on other options to suppress the Invalid Certificate warning during client enrollments, please see TECH149211.