Users may receive an error when importing an S/MIME Certificate on G-Suite with Enhanced Encryption settings enabled on their account.
Invalid Certificate - The X.509 Certificate isn't trusted. Review the documentation and replace the certificate.
The error will occur when the user imports an Email Certificate (with a validity lifespan of more than 27 months). As per G Suite requirements, the validity period of an Email CertificateMUST not exceed 27 months.
It is recommended that the user have a 1 year or 2 year Email Certificate when enabling the Enhanced Encryption setting on G Suite.
Reference: https://support.google.com/a/answer/7300887 ( See 'End Entity Certificate' section )