Video Screencast Help

PGP Universal 3.1 - Change Certificate

Created: 20 Dec 2011 • Updated: 25 Jan 2012 | 5 comments
This issue has been solved. See solution.

We are currently using PGP Universal Server 3.1 with 10.1 clients only utilizing whole disk encryption and nothing else.  Currently, when we install the client (downloaded from the server itself) we get a certificate error that the certificate "was issued by an unknown authority".  I would like to correct this issue but do not want to impact users in any way as we have 250 users.  Right now, there is no certificate assigned to the server.  I can have an internal certificate generated for our internal ca.  My question is when I have this certificate issued and then assign the certificate, what will users experience?  Are they going to get a pop up.  Hopefully they would not have to re-enroll.  This is our only system so I have no way to test.  The machines trust our ca using group policy.  I'm wondering if that is enough and how pgp will know to trust our ca because the installer that was used has a generic certificate associated.  If anyone has gone through this process before any help would be greatly appreciated.    

Comments 5 CommentsJump to latest comment

Chetan D's picture

Hello Tradsd,

 

Please follow the below Article to resolve your Certificate issue :

 TECH171863 this is the Technet Article. 

http://www.symantec.com/business/support/index?page=content&id=TECH171863

If/when you consider your issue resolved, please click Mark As Solution on the post that best provided the solution.

 

Thanks,

Chetan.

tradsd's picture

My question is when I have this certificate issued and then assign the certificate, what will users experience?

Julian_M's picture

At much , they will have to "always allow" the new certificate , because the other expired.

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.
 

mwoj's picture

Hello Tradsd,

 

Here is what you have to do to prevent the certifcate warining when PGP Destkop starts up:

1) issue a (Webserver) Certificate from your CA for your Universal Server

2) Assgin this Certficate to the proper Univerversal Server Network Inteface

3) Publish the Root Certficate from your CA (trough GPO) in Active Directory

This way Clients should have it in thier "Trusted Root Authorities" Certifiate Store

If your CA does have an Intermediate (Issuing CA) Authority then publish this Certififcate as well

4) Once your Clients have the certificate(s) in the Store they shold implicit tust the Connection that PGP Desktop initiates to Universal Server and no warning should occur.

Let me know if this solution does work for you.

 

Cheers,

Martin

Sarah Mays's picture

PGP Desktop uses a file call trustedcerts.pgp, this file has the certificate of whichever certificate is installed on the PGP universal server at the time it was downloaded. (real cert or self signed.. doesn't matter)

PGP desktop ignores the windows/mac machines certificate store all together!

the trustedcerts.pgp file does NOT get updated automatically on existing clients when the certificate changes.

So to answer your question when you change the certificate on the universal server every user will get a pop-up. see below

certeffor-pgpdtpro.png
SOLUTION