Encryption Desktop prompts user that the server certificate is not valid

book

Article ID: 157432

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

During client enrollment of Symantec Encryption Desktop, and during any subsequent connections between the client and Symantec Encryption Management Server, you receive an Alert regarding an Invalid Server Certificate.

If "Allow" or "Deny" is clicked on the certificate pop-up, the alert will continue to be displayed. If "Always Allow" is selected, the alert will not be displayed except for subsequent enrollment requests.

It is ideal for the invalid certificate warnings to not be displayed, as this indicates there is something wrong with the certificate.  While Symantec Encryption Management Server creates the certificate, and there is nothing technically wrong with the certificate related to security, self-signed certificates are not inherently trusted by the Microsoft certificate model unless the certificate root is imported.
 

Resolution

In order to have the self-signed certificate be considered valid, the following steps can be used via GPO:

Note: Steps may differ depending on the version of the Domain Controller, please consult the Microsoft documentation for steps related to versions that don't apply to these instructions.

1. Log in to the Symantec Encryption Management Server administrative interface.

2. Click the System tab and select the Network tab.

3. Click the Certificates button.

4. Select the name of the certificate that you want to trust. The Certificate Info for the certificate is displayed.

5. Click the Export button. The Export Certificate dialog screen appears.

6. To export the public key portion of the certificate, select Export Public Key.

7. Click Export and when prompted click Save.

8. Specify a name and location to save the file, then click Save.

9. Log into the Domain Controller (DC) and open Group Policy Management (Start > Administrative Tools > Group Policy Management).

10. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

11. Right-click the Default Domain Policy GPO, and then click Edit.

12. In the Group Policy Management Console (GPMC), go to Computer Configuration > Policies > Windows Settings > Security Settings  and then click Public Key Policies.

13. Right-click the Trusted Root Certification Authorities store and click Import and follow the steps in the Certificate Import Wizard to import the certificate that from Symantec Encryption Management Server.

14. Browse for the Certificate. Make sure to specify to choose All files (*.*) when looking for the certificate.

15. Run gpupdate on the client machines or restart the client machines before enrolling the users. New users will now not see the invalid certificate alert.

NOTE:  For more information on other options to suppress the Invalid Certificate warning during client enrollments, please see TECH149211.

Additional Information

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long)

156600 - Manually add PGPtrustedcerts.asc to the Symantec Encryption Desktop installer (MSI) using Orca

153347 - Authentication certificate not valid pop-up displayed when connecting to Encryption Management Server