The PGP Server has its own "Keystore" in which Root Certificates or Intermediate Certificates are stored to help validate trust of SMIME or TLS Certificates it may encounter during its routine operations of encryption. This keystore is called Trusted Keys, and it will contain all the Root or Intermediate Certificates that are known. Each update of the PGP server will attempt to include new certificates that may exist, but sometimes Root or Intermediate Certificates are missing. When Root/Intermediate Certs are missing, and you try to assign a TLS certificate to the PGP server, a proper "chain" file will not be built.
Chain files are used to ensure the trust is properly established for the certificate that is being used by the network interface. In older versions, the TLS cert could be assigned to the NIC even when the root/intermediate certs did not exist, which would lead to potential errors in the PGP Desktop client or possibly browsers. When the chain is built, these trust issues go away, but sometimes it is too late and the Root and Intermediate Certs need to be imported into the Trusted Keys list manually.
Starting with PGP Server version 10.5.1 MP2, there is new functionality that will check if "Trusted Keys" exist in the key store and if the "Chain File" could be built for the TLS Certificate currently assigned to the NIC. This new functionality will also check if the Trusted Keys exist in the keystore when attempting to assign a TLS certificate to the NIC. If these Root/Intermediate certificates are not present in Trusted Keys, there will be an error displayed after update to alert you to this condition:
"The currently assigned SSL/TLS certificate(s) on the network interface 1, Interface 2 is not trusted. Ensure a valid certificate chain is available on the Trusted Keys page."
This article will provide a walkthrough of how this process works starting with 10.5.1 MP2 with its associated verbiage with the new functionality and notifications.
The reason for this is before a proper ".chain" file can be created, the Root and Intermediate (if intermediate certs apply) must be added to the Trusted Keys list. Once added, the Server Certificate issued by the Root/Intermediate can then have an associated chain built for it. This allows proper functionality to the PGP Server in addition to the PGP Desktop clients for full certificate validation functionality.
This error could also appear if the Root and/or Intermediate Certs were removed from the Trusted Keys keystore after the PGP Server's TLS Certificate was assigned.
When going to the System/Network tab, you will see the interfaces associated with the PGP server.
In this example, there are two interfaces, "Interface 1" and "Interface 2", with their respective IP addresses and network details:
If you click on the "Certificates" button, you can click on the certificate that is currently assigned and you should see the issuer:
Although this certificate shows as "Certificate Installed", this certificate is not able to have a properly build certificate chain (root and intermediate needed).
To fix this, follow the following steps:
Step 1: Double-click on the PGP Server's TLS Certificate file (in .crt format) and check out the "Certificate Path" tab:
Step 2: In the screenshot below, the highlighted cert is called the "Root Certificate".
The middle cert is the "Intermediate Certificate":
Step 3: Click on the Root Certificate, then click on Details, and click on Thumbprint to show the thumbprint of the cert. Make note of this as you can compare it in Trusted Keys once you import it:
Step 4: Now click "Copy to File..." to export the Root Cert, and call it "rootCA":
Do the same with the Intermediate Cert if applicable.
Step 5: Once you have exported both of these certs, go to Keys, Trusted Keys, and scroll to the bottom and click "Add...".
Import both Root and Intermediate certs and then try to assign your new certificate to the PGP server.
If you try to assign a new cert and receive the following message, you need to import the proper Root CA and Intermediates associated to the PGP server:
"The SSL/TLS certificate cannot be added or assigned due to the following reasons:"
Step 6: Once you assign the new cert, click Save and this should build the chain file needed for proper certificate validation.
The following message will appear:
Step 7: Now check the Dashboard of the PGP server and the message should now be gone.
If the error message is still not gone, please reach out to Symantec Encryption Support for further guidance.