During the Encryption Desktop client enrollment and during any subsequent connections between the client and the Encryption Management Server, a pop-up alert regarding an Invalid Server Certificate is observed:
If "Allow" or "Deny" is selected for the alert, the alert will continue to be displayed on subsequent connections. If "Always Allow for This Site" is selected, only new enrollments will trigger the invalid certificate warning.
The client does not trust the certificate chain presented by Encryption Management Server.
Aside from clicking on "Always allow", there are several other options available so that end users are not presented with the invalid certificate alert:
Option 1 - Import the certificates in the certificate chain used by Encryption Management Server to the "Trusted Root Certification Authorities" and/or "Intermediate Certification Authorities" of the Windows Certificate Store of each client. Please see article TECH200530 for more information on this method, particularly on how to accomplish this using Windows Group Policy. This method is the most straightforward and reliable, particularly if the Encryption Management Server certificate has expired and been renewed. It is vital that before installing a server certificate in Encryption Management Server, the root and any intermediate certificates in the chain are imported to Encryption Management Server through the Keys / Trusted Keys menu of the administration console. This applies whether a third party Certificate Authority or an internal Certificate Authority has issued the server certificate. If an internal Certificate Authority issued the server certificate, it is likely that the root and intermediate certificates would already have been added to each client machine's Windows Certificate Store.
Option 2 - When downloading the Encryption Desktop installation package (*.msi file) from Encryption Management Server, the list of trusted certificates is automatically built-in to the package and included in a file called
PGPtrustedcerts.asc. Therefore upgrading clients will prevent the certificate warning from appearing. However, under certain circumstances the PGPtrustedcerts.asc file may not be included in the *.msi file. Please see article TECH149211 for further details.
Option 3 - Copy a
PGPtrustedcerts.asc file that contains the correct certificate chain from one client to all clients. The correct folder is
Option 4 - Manually include the
PGPtrustedcerts.asc file in the downloaded *.msi file. For more information on this method, please see article TECH190946.
It is good practice to prevent clients connecting to an untrusted server certificate and not allow the user to override the warning. This can mitigate against the possibility of an attack that involves one of the following:
To ensure that Encryption Desktop does not connect to an untrusted server certificate, you can update a preference called
treatUntrustedConnectionAsOffline in the user's policy. With this policy enabled, clients will not connect to an untrusted server certificate and the user will not be warned so they will not be given the option to override the warning. Note that a warning will be written to the Encryption Desktop log file.
To update the
treatUntrustedConnectionAsOffline policy preference do the following from the Encryption Management Server admin console:
Boolean(this is the default).
To reverse this change, repeat the above steps but in step 8 set the value to