Sometimes after adding certificates to Trusted Keys and Certificates in Symantec Encryption Management Server, the certificates aren't included in the installer for Symantec Encryption Desktop.

Typically the reason for this is the client is not re-downloaded after the certificate is added.  The client needs to be downloaded again after the certificates have been added to Trusted Certificates and Keys. These Certificates are only included in the installer, and are not downloaded later via a policy update.

If after downloading the client again and you are still getting the invalid certificate prompt (see example below) after install, the following solutions may help.

From an SSH session to the Symantec Encryption Management Server, run the following Command after ensuring all Root and Intermediate certificates have been imported into Trusted Keys:

pgpsysconf --apache

This will build in the appropriate certificates to the client package again with the proper certificates in the installer.

Note: For information on how to configure SSH access for Symantec Encryption Management Server, see TECH149673.

Tools required:
Orca - Included in the development SDK for Windows 7.

Steps to prepare the certificate for adding to the MSI file:

1. On Symantec Encryption Management Server, go to Keys > Trusted Keys.
2. Click on the certificate that was added (usually the intermediate CA or root CA certificate)
3. Click Export and save the .asc file.
4. Repeat this step for additional certificates.
5. Open each ASC file with notepad.exe, combine each of the certificates into a single text file.
6. Save this file as allcerts.asc for use in the steps following for importing them into Orca.

Import into MSI file using Orca:

• Run Orca
• Select: File > Open...
• Locate your MSI installer file (PGPDesktop_en-US.msi) and select it
• Click Open
• Locate the following -  Tables: Property,  Property: PGPtrustedcerts

• Open the allcerts.asc file created earlier
• Select Edit, Select All  (Ctrl + A)
• Select Edit, Copy  (Ctrl + C)
• Right click on the Value (Default is Default PGP Trusted Certs), select Paste Cell.

• After the certificate is pasted into the cell, it should look like this:

• Select File, Save as... and save your msi with a new name, PGPDesktop_modified.msi (or whatever name you would like to use).

Now use the new installer to install Symantec Encryption Desktop.  After installation you should not see the Invalid Certificate prompt.

The following location should contain a PGPtrustedcerts.asc file:

• Windows XP:  C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
• Windows Vista/Windows 7: C:\Users\All Users\PGP Corporation\PGP