Organization Certificate Expired
search cancel

Organization Certificate Expired


Article ID: 153339


Updated On:


Encryption Management Server Gateway Email Encryption


When viewing the Organization Keys on the Organization tab, you receive the following message:

Organization Certificate Expired -or- Organization Certificate is about to expire.

This means the organization certificate has expired or is about to expire. Please remove, replace, or regenerate it as soon as possible.



An Organization Certificate is required for S/MIME support. You can only have one Organization Certificate attached to your Organization Key. You will not be able to restore from a backup with more than one Organization Certificate associated with your Organization Key.

The Organization Key will automatically renew itself one day before its expiration date. However, the Organization Certificate must be regenerated manually.

Note: A self-signed Organization Certificate will have the same expiration date as the Organization Key, unless the Organization Key is set never to expire. If the Organization Key will never expire, the Organization Certificate will expire 10 years from the date you generate it.

You must regenerate the Organization Certificate before it expires and distribute the new Certificate to anyone who uses your old Organization Certificate as a trusted root CA.

The Symantec Encryption Management Server (SEMS) will automatically generate certificates as well as keys for new internal users created after you import or generate an Organization Certificate. All internal users will receive a certificate added to their keys within 12 hours. However, the old Organization Certificate will remain on users keys until the certificate expires.

When a Organization Certificate expires, you have several options to resolve the issue:

  • Create a self-signed Organization Certificate. Unfortunately, a self-signed Organization Certificate will not be universally recognized, so we recommend using a certificate from a recognized Certificate Authority (CA).
  • Create a Certificate Signing Request for a certificate authorized by an existing CA. When you receive the certificate back from the CA as a file, you will need to import that file.
  • Import an existing certificate to use as your Organization Certificate. Imported X.509 certificates must be version 3, self-signed certificates are automatically version 3.

To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, must be on the list of trusted keys and certificates on the Trusted Keys and Certificates card. If that is not the case, please import them.

To generate a Self-signed certificate or a Certificate Signing Request:

  1. Login to the Symantec Encryption Management Server.
  2. Click on Keys then Organization Keys.
  3. Select the + icon in the action column of the Organization Certificate row.
  4. Enter your information for the certificate (Common Name, Contact Email, etc.).
  5. Click Generate Self-signed for a self-signed certificate or Generate CSR to create Certificate Signing Request.

To create a Certificate Signing Request (CSR):

  • Copy the contents of the CSR dialog to a file, then click OK.
  • Paste the CSR into the appropriate field on your third-party CA interface. The CA will send the certificate back to you when it has approved it.
  • When you receive the certificate from the CA, use the Import feature to import it as your Organization Certificate.

To import a certificate:

  1. Login to the PGP Universal Server.
  2. Click on Keys then Organization Keys.
  3. Click the icon in the Import column of the Organization Certificate row.
  4. Copy the certificate you want to be your Organization Certificate.
  5. Paste the text into the Certificate Block box.
  6. Click Save.

The Organization Certificate you imported appears in the Organization Certificate row.


Applies To

Symantec Encryption Management Server (formerly known as PGP Universal Server)