Manually add PGPtrustedcerts.asc to PGP Desktop installer (MSI) using Orca

Article:TECH190946  |  Created: 2012-06-13  |  Updated: 2014-11-14  |  Article URL
Article Type
Technical Solution


Sometimes after adding certificates to Trusted Keys and Certificates in Universal Server, the certificates aren't included in the installer for PGP Desktop.

Typically the reason for this is the client is not re-downloaded after the certificate is added.  The client needs to be downloaded again after the certificates have been added to Trusted Certificates and Keys. These Certificates are only included in the installer, and are not downloaded later via a policy update.

If after downloading the client again and you are still getting the invalid certificate prompt (see example below) after install, the following solutions may help.



From an SSH session to the server, run the command "pgpsysconf --apache" will usually allow you to download the client package again with the proper certificates in the installer. If you do not have SSH access to the server there is a link below to a KB that will walk you through setting that up.

IF you do not have access to SSH or if you are not comfortable with running commands via the command line interface you can manually add the certificate(s) to the MSI using Microsoft's Orca tool.

Tools required:
Orca - Included in the development SDK for Windows 7.

Steps to prepare the certificate for adding to the MSI file:

  1. On Universal Server, go to Keys > Trusted Keys.
  2. Click on the certificate that was added (usually the intermediate CA or root CA certificate)
  3. Click Export and save the .asc file.
  4. Repeat this step for additional certificates.
  5. Open each ASC file with notepad.exe, combine each of the certificates into a single text file.
  6. Save this file as allcerts.asc for use in the steps following for importing them into Orca.

Import into MSI file using Orca:

  • Run Orca
  • Select: File > Open...
  • Locate your MSI installer file (PGPDesktop_en-US.msi) and select it
  • Click Open
  • Locate the following -  Tables: Property,  Property: PGPtrustedcerts


  • Open the allcerts.asc file created earlier
  • Select Edit, Select All  (Ctrl + A)
  • Select Edit, Copy  (Ctrl + C)
  • Right click on the Value (Default is Default PGP Trusted Certs), select Paste Cell.

  • After the certificate is pasted into the cell, it should look like this:

  • Select File, Save as... and save your msi with a new name, PGPDesktop_modified.msi (or whatever name you would like to use).

Now use the new installer to install PGP Desktop.  After installation you should not see the Invalid Certificate prompt.

The following location should contain a PGPtrustedcerts.asc file:

  • Windows XP:  C:\Documents and Settings\All Users\Application Data\PGP Corporation\PGP
  • Windows Vista/Windows 7: C:\Users\All Users\PGP Corporation\PGP

Article URL

Terms of use for this information are found in Legal Notices