ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Invisible Silent Enrollment failing due to expired Organization Certificate


Article ID: 156815


Updated On:


Desktop Email Encryption Drive Encryption


Invisible Silent Enrollment failing due to expired Organization Certificate


Invisible Silent Enrollment uses a file called orgkey.asc as part of the validation/authentication process in order to invisibly enroll a user.  When the Org Key is downloaded from the PGP Universal Server, it contains the Organization Certificate.  If any keys are expired, this can cause Invisible Silent Enrollment to fail.


You have one of two options provided to you in order to resolve the issue:

Choose Option A or B (depending on the scenario)

Option A. Delete the Org Cert (not the Org Key), and re-download the PGP Desktop client.  The orgkey.asc file will be included in the download as this file is not a dynamic file and will not be updated automatically.

Note: If s/mime encryption is not being used, this is a viable option as the Org Cert is only used for s/mime encryption.

Option B: Create a new Org Cert and re-download the PGP Desktop client and deploy this client to systems instead.

Next steps (after choosing Option A or B):

1. Download the Org Key public portion from PGP Universal Server and rename it to orgkey.asc and place this file in the appropriate directory for Invisible Silent Enrollment:

%allusersprofile%\PGP Corporation\PGP

2. Exit PGP Services

3. Delete the PGPpref.xml and PGPpolicy.xml files from %appdata%\PGP Corporation\PGP

The next time the user logs in, Invisible Silent Enrollment will complete successfully.

Applies To

PGP Desktop

Symantec Encryption Desktop (previously PGP Desktop)