This article describes the impact of a new, invalid, or expired SSL certificate with PGP Desktop.
Does changing a SSL certificate on the PGP Universal Server impact the enrollment of PGP Desktop clients?
Yes. PGP Desktop customized client installers are downloaded with a pre-configured list of certificates based on the certificates on the Organization > Trusted Keys page of the PGP Universal Server. Changing a SSL/TLS certificate on the server can affect the interaction between the PGP Desktop client and the server during enrollment.
After the custom PGP Desktop client installer is downloaded from the server, if a new certificate is manually uploaded to the PGP Universal Server on the Organization > Trusted Keys page, the PGP Desktop client will display a warning that the certificate is invalid. This occurs due to the installer not having the new certificate associated with the installation file.
NOTE: If the new certificate has the same certificate chain as the old certificate, the PGP Desktop client should not see the warning as that certificate chain is already trusted. Unless they previously used Always Allow to accept the PGP Universal certificate, which would be due to a lack of the Root and Intermediate CA certificates on the client.
Does an expired SSL certificate on the PGP Universal Server have an impact on PGP Desktop clients?
Yes. New PGP Desktop clients can still be enrolled with PGP Universal Server, but the certificate warning dialog will appear requiring Allow or Always Allow to proceed. Existing clients will receive the certificate warning any time secure communication occurs with the server, such as during a policy update or key search. Again, Allow or Always Allow is required to proceed.
Does a self-signed certificate affect PGP Desktop clients?
Yes. During enrollment, a PGP Desktop pop-up is displayed indicating the certificate is invalid. The certificate must be trusted individually by PGP Desktop.
If PGP Desktop has trusted a self-signed certificate, what happens if the self-signed certificate is replaced with a new self-signed certificate?
An invalid certificate warning is displayed due to the new certificate replacing the old certificate. The new self-signed certificate must be trusted individually by PGP Desktop.