During client enrollment of PGP Encryption Desktop, and during any subsequent connections between the client and the PGP Encryption Server, you receive an Alert regarding an Invalid Server Certificate.

If "Allow" or "Deny" is clicked on the certificate pop-up, the alert will continue to be displayed. If "Always Allow" is selected, the alert will not be displayed except for subsequent enrollment requests.

It is ideal for the invalid certificate warnings to not be displayed, as this indicates there is something wrong with the certificate.  While the PGP Encryption Server creates the certificate, and there is nothing technically wrong with the certificate related to security, self-signed certificates are not inherently trusted by the Microsoft certificate model unless the certificate root is imported.
 

In order to have the self-signed certificate be considered valid, the following steps can be used via GPO:

Note: Steps may differ depending on the version of the Domain Controller, please consult the Microsoft documentation for steps related to versions that don't apply to these instructions.

1. Log in to the PGP Encryption Server administrative interface.

2. Click the System tab and select the Network tab.

3. Click the Certificates button.

4. Select the name of the certificate that you want to trust. The Certificate Info for the certificate is displayed.

5. Click the Export button. The Export Certificate dialog screen appears.

6. To export the public key portion of the certificate, select Export Public Key.

7. Click Export and when prompted click Save.

8. Specify a name and location to save the file, then click Save.

9. Log into the Domain Controller (DC) and open Group Policy Management (Start > Administrative Tools > Group Policy Management).

10. In the console tree, double-click Group Policy Objects in the forest and domain containing the Default Domain Policy Group Policy object (GPO) that you want to edit.

11. Right-click the Default Domain Policy GPO, and then click Edit.

12. In the Group Policy Management Console (GPMC), go to Computer Configuration > Policies > Windows Settings > Security Settings  and then click Public Key Policies.

13. Right-click the Trusted Root Certification Authorities store and click Import and follow the steps in the Certificate Import Wizard to import the certificate that from the PGP Encryption Server

14. Browse for the Certificate. Make sure to specify to choose All files (*.*) when looking for the certificate.

15. Run gpupdate on the client machines or restart the client machines before enrolling the users. New users will now not see the invalid certificate alert.

180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server (PGP Server)

270245 - Certificate Warning after upgrading to PGP Server 10.5.1 MP2 or above stating the certificate is untrusted

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long)

153347 - Authentication certificate not valid pop-up displayed when connecting to Encryption Management Server

157432 - PGP Desktop prompts user that the server certificate is not valid (Symantec Encryption Desktop)