The Internet Gateway is generating the following error messages every time that the gateway service restarts after adding a new certificate:

Certificate file loading failed: F:\Program Files\Symantec\SMP Internet Gateway\certs\server.pfx, ex:Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The specified network password is not correct
   at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(Byte[] rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags)
   at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(Byte[] rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
   at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(String fileName, SecureString password, X509KeyStorageFlags keyStorageFlags)
   at InternetGtwMngrCore.Certificates.Certificate.get_X509()
-----------------------------------------------------------------------------------------------------
Date: 8/31/2020 12:07:42 PM, Tick Count: 0 (00:00:00), Size: 967 B
Process: InternetGateway (4352), Thread ID: 4, Module: InternetGateway.exe
Priority: 1, Source:

Cannot start server because certificate is not present
-----------------------------------------------------------------------------------------------------
Date: 8/31/2020 12:07:42 PM, Tick Count: 0 (00:00:00), Size: 282 B
Process: InternetGateway (4352), Thread ID: 4, Module: InternetGateway.exe
Priority: 1, Source: 

ITMS 8.5

Unknown. Possibly corruption of the certificate or issues with the local machine that can't decrypt the certificate password.

Note: If the new certificate is a CNG type of certificate, we don't support it if it is a pre-8.6 RU2 environment. Support for CNG certificates was added in 8.6 RU2 release. Hence it is By Design that you cannot use CNG type of certificates on an Internet Gateway pre-8.6 RU2.

Try a new certificate by replacing the existing one with a different one.

Note: Changing the certificate for your Internet Gateway will assign a new thumbprint that needs to be added to your gateway policy in the SMP Console. If it is the only Internet Gateway on your environment, it can cause that your CEM clients can't connect again until their gateway policy is updated with the new thumbprint.

The replacement process should be something like this:

1. In the Symantec Management Platform Internet Gateway Manager, click Change.

2. In the Import Certificate dialog box, specify the location of the certificate file, enter the certificate password, and then click OK.

   You will be prompted to restart the gateway services. Click Yes.

3. Copy the new Thumbprint that is created.

4. In the Symantec Management Console, do the following:

   • On the Settings menu, click Notification Server > Cloud-enabled Management.

   • In the left pane, expand Policy, and then click Cloud-enabled Management Settings.

   • On the Cloud-enabled Management Settings policy page, under Gateways accepting external agent traffic, select the Internet gateway that you want to edit, and then on the toolbar click the Edit icon.

   • In the Edit Gateway Server dialog box, paste the new thumbprint, and click OK.

   • Under, Applied to, apply the edited Cloud-enabled Management Settings policy to the client computers that you want.

   • Click Save changes.

   • The client machines will get the thumbprint change next time that they request a new configuration. As well the client machines will get automatically an updated "Internet gateway agent certificate" with reference to the new thumbprint.

Note: For pre-8.6 RU2 customers, the workaround is to use other than CNG certificates format if they can't upgrade to 8.6 RU2 or later.