Manually add PGPtrustedcerts.asc to the Symantec Encryption Desktop installer (MSI) using Orca

book

Article ID: 156600

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption

Issue/Introduction

Sometimes after adding certificates to Trusted Keys and Certificates in Symantec Encryption Management Server, the certificates aren't included in the installer for Symantec Encryption Desktop.

Typically the reason for this is the client is not re-downloaded after the certificate is added.  The client needs to be downloaded again after the certificates have been added to Trusted Certificates and Keys. These Certificates are only included in the installer, and are not downloaded later via a policy update.

If after downloading the client again and you are still getting the invalid certificate prompt (see example below) after install, the following solutions may help.

 

Resolution

From an SSH session to the Symantec Encryption Management Server, run the following Command after ensuring all Root and Intermediate certificates have been imported into Trusted Keys:

pgpsysconf --apache

This will build in the appropriate certificates to the client package again with the proper certificates in the installer.

Note: For information on how to configure SSH access for Symantec Encryption Management Server, see TECH149673.

 

Tools required:
Orca - Included in the development SDK for Windows 7.

Steps to prepare the certificate for adding to the MSI file:

  1. On Symantec Encryption Management Server, go to Keys > Trusted Keys.
  2. Click on the certificate that was added (usually the intermediate CA or root CA certificate)
  3. Click Export and save the .asc file.
  4. Repeat this step for additional certificates.
  5. Open each ASC file with notepad.exe, combine each of the certificates into a single text file.
  6. Save this file as allcerts.asc for use in the steps following for importing them into Orca.

Import into MSI file using Orca:

  • Run Orca
  • Select: File > Open...
  • Locate your MSI installer file (PGPDesktop_en-US.msi) and select it
  • Click Open
  • Locate the following -  Tables: Property,  Property: PGPtrustedcerts

 

  • Open the allcerts.asc file created earlier
  • Select Edit, Select All  (Ctrl + A)
  • Select Edit, Copy  (Ctrl + C)
  • Right click on the Value (Default is Default PGP Trusted Certs), select Paste Cell.

  • After the certificate is pasted into the cell, it should look like this:

  • Select File, Save as... and save your msi with a new name, PGPDesktop_modified.msi (or whatever name you would like to use).

Now use the new installer to install Symantec Encryption Desktop.  After installation you should not see the Invalid Certificate prompt.

The following location should contain a PGPtrustedcerts.asc file:

  • Windows XP:  C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
  • Windows Vista/Windows 7: C:\Users\All Users\PGP Corporation\PGP
 

 

NOTE:  For more information on other options to suppress the Invalid Certificate warning during client enrollments, please see TECH149211.

 

Additional Information

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long)

157432 - Encryption Desktop prompts user that the server certificate is not valid

153347 - Authentication certificate not valid pop-up displayed when connecting to Encryption Management Server

Attachments