When attempting to import a certificate into the Organization Certificate section of PGP Universal Server, the following error is received:

Certificate Import Failed

The certificate could not be used. The certificate is not able to sign other certificates.

First, attempting to import an SSL certificate into the Organization Certificate on the PGP Universal Server will fail because the Organization Certificate requires an X.509 certificate compatible for S/MIME encryption for email, whereas SSL certificates are used for SSL/TLS traffic for the PGP Universal Server.

Second, requesting an X.509 certificate from a Certificate Authority for S/MIME encryption is expensive and is not a common practice. In this case, the Certificate Authority authorizes companies to purchase their signing certificate to sign on behalf of the Certificate Authority. For this to work, the certificate must have signing capability granted by the Certificate Authority in most cases this authority is not granted.

The PGP Universal Server can use either a self-signed certificate, or a certificate created by a companys Internal Certificate Authority. However, recipients will need to trust these certificates manually.

Note: If S/MIME encryption for email is not being used, it is not necessary to have an Organization Certificate.

If the intent is to purchase an SSL certificate for SSL/TLS communications, a Certificate Signing Request (CSR) must be done under the System/Network tab of the PGP Universal Server.

SSL certificates can be created on the PGP Universal Server as self-signed or obtained through a reputable certificate authority. However, self signed certificates are not automatically trusted by email or Web browser clients.

Obtaining a certificate from a Certificate Authority is especially important for PGP Universal Servers that will be accessed publicly. Older web browsers may reject self-signed certificates or not know how to handle them correctly when encountered via PGP Universal Web Messenger, Smart Trailer or other secure communication services. Obtaining an SSL certificate from a valid Certificate Authority will ensure web browsers will trust the SSL connection to the PGP Universal Server and end-users will not receive pop-up security alerts from web browsers.

Having a certificate from a valid Certificate Authority will also resolve the PGP Alert during client enrollment.

To resolve the above errors, a Certificate Signing Request should be generated on the PGP Universal Server. Once the SSL certificate has been received from the Certificate Authority, the SSL certificate should be imported into the Certificates section of PGP Universal Server under the System/Network tabs.

Guidelines for requesting an SSL certificate

• When creating the Certificate Signing Request for the SSL Certificate, fill out all applicable fields. For the State field do not abbreviate. Certificate Authorities usually require the state to be spelled out completely.
• The hostname of the PGP Universal Server must match the hostname assigned to the SSL certificate. If the hostname for PGP Universal Server is keys.acme.com, then the hostname for the SSL certificate must be keys.acme.com.
• Wildcard certificates may also be used if multiple PGP Universal Servers are being used. Example: Keys.acme.com, keys2.acme.com and keys3.acme.com could all use a wildcard certificate that matches *.acme.com, however these certificates are more expensive than traditional certificates.
• The SSL certificate requested should be for Apache.
• The SSL certificate is used for SSL/TLS communications
• The PGP Universal Server does not fully support intermediary certificates. The certificate chain cannot be fully trusted on the PGP Universal Server and therefore security alerts will continue to be displayed when accessing the PGP Universal Server web page.
   

Generating a Certificate Signing Request on PGP Universal Server

1. Click System, Network and click Certificates on the PGP Universal Server web console.
2. Click Add Certificate.
3. Fill in the appropriate fields completely and click Generate CSR. A Certificate Signing Request block is returned. This should be given to the Certificate Authority.
4. Click OK. The certificate screen displays a Pending status until the SSL certificate has been imported into the PGP Universal Server.
5. Once the Certificate block has been received, click the plus sign to import the block. Copy the block of text that was received from the Certificate Authority.   Click Save to complete the import of the block.
   
   Note: Many Certificate Authorities will return the certificate in .PEM format (Privacy Enhanced Mail Certificate) as a file. The PGP Universal Server will not accept this format and must be converted to .PKCS12 format (Personal Information Exchange Syntax Standard).
    
6. Click System > Network and make sure the certificate is assigned to the Interface on the PGP Universal Server. If multiple interfaces are being used, assign certificate to each interface.
7. Click Save.