PGP Alert - Invalid Server Certificate during Enrollment - Howto suppress invalid certificate warnings for Self-Signed Certificates
|Article:TECH149211|||||Created: 2008-09-26|||||Updated: 2013-05-05|||||Article URL http://www.symantec.com/docs/TECH149211|
During PGP Desktop client enrollment and during any subsequent connections between the client and the PGP Universal Server, you receive a PGP Alert regarding an Invalid Server Certificate.
If you choose to Allow or Deny the certificate, you will continue to receive the alert. If you choose to Always Allow for This Site, the PGP Alert is displayed only once.
Note: This article applies to PGP Desktop 9.x and 10.x running on Windows 2000, XP, Server 2003/2008, Windows Vista and Windows 7.
This also applies to Symantec Encryption Desktop 10.3 for Windows and Mac OS X.
Upon connection the (silent) enrollment, the Universal Server identifies itself to the PGP Desktop-client with an untrusted certificate.
Except clicking on "Always allow" there are four other options for a solution to this issue.
1- Import the SSL certificate of PGP Universal Server to the "Trusted Root Authorities" of the Microsoft Certificate Store. Alternatively, use one of these already trusted certificates in the "Trusted Root Authorities" as a server certificate on the Universal Server.
2 - When downloading the PGP Desktop installation package (.msi) from PGP Universal Server, it will automatically trust the currently assigned certificate by including a file called "PGPtrustedcerts.asc" in the installer package. It should be included once other certificates have been added to PGP Universal Server's "Trusted Keys" - section. However, this may not always work correctly. See option 4 below for the manual process to do this.
3 - If you have an internal certificate chain, your (probably internal) Root CA can trust PGP Universal Server's Certificate that is assigned to the network interface. In that case make sure the PGP Desktop clients trust the same Root CA or the chain with intermediate CA's going up to the Root CA (that trusts the Universal Server's Certificate). Due the certificate chain model, the client will then transitively trust PGP Universal Server since the trusted Root CA trusts PGP Universal Server as well. Ensure that the intermediate CA and Root CA are both in the list of Trusted Keys on PGP Universal Server before assigning the certificate to the network interface. If you imported the intermediate and root CA after assigning the certificate to the interface you can temporarily assign "None" as the certificate, Save the settings, then assign the correct certificate and Save the settings again. This ensures that the complete certificate chain is generated which is then presented to the client.
4 - To disable the PGP Certificate alert you can also add the server's certificate to the trusted certificates of PGP Desktop.
To do this, use the following steps:
- Login to the PGP Universal Server administrative interface.
- Click the System card and select the Network tab.
- Click the Certificates button.
- Select the name of the certificate that you want to trust. The Certificate Info for the certificate is displayed.
- Click the Export... button. The Export Certificate dialog screen appears.
- To export the public key portion of the certificate, select Export Public Key.
- Click Export.
- At the prompt, click Save.
- Specify a name and location to save the file, then click Save.
- Copy and paste the exported .pem file to a system with PGP Desktop installed.
- Double-click the .pem file. and select Import.
- Open PGP Desktop and locate the imported key in PGP Keys.
- Right-click the key and select Export...
- Save the file as PGPtrustedcerts.asc.
The certificate is now ready to distribute to the other managed clients.
- Copy the file PGPtrustedcerts.asc to the following folder for your operating system:
Windows XP: C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
Windows Vista/Windows 7: C:\Program Data\PGP Corporation
After importing the certificate, the PGP Alert will no longer display an invalid certificate popu
Mac OS X System Behavior with Self-Signed Certificate Suppression and Symantec Enterprise Management Server (SEMS)
Historically, the functionality from Item four listed above has never been a part of the PGP Desktop client for Mac operating system and even after importing the self-signed certificate, and re-downloading the client, the certificate warning would continue to display.
Starting with Symantec Encryption Desktop 10.3 for Mac OS X, this certificate warning for self-signed certificates will now be suppressed after following option four above. Once the self-signed certificate is exported from System > Network > Certificates on Symantec Enterprise Management Server (formerly known as PGP Universal Server) and imported into Trusted Keys, and then re-downloading the Mac OS X customized client from SEMS, the PGP Alert should now be suppressed.
Article URL http://www.symantec.com/docs/TECH149211