HOW TO: Generate a new self-signed Organization Certificate for PGP Server for SMIME Email Encryption
Article ID: 155218
Updated On:
Products
Issue/Introduction
The Symantec Encryption Management Server (PGP Server) has the ability to generate SMIME certificates for Email Encryption using the SMIME encoding method.
Note: If you are not doing SMIME Certificate Encryption, you do not need to generate an Organization Certificate and you can skip this key.
If you are needing to encrypt emails to recipients with SMIME certificates, having an Organization Certificate will be used to sign all other user certs.
In order to generate an Organization Certificate, you can use the following methods:
Method 1: Self-Signed Certificate (not generally recommended)
Method 2: Internal CA (Better than Self-Signed, but not universally trusted by external domains and an external entity needs to trust manually).
For more information on this method, see the following article:
257339 - How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server
Method 3: Trusted Certificate Authority
This option is not typically possible to achieve as the CA needs to provide you "Certificate Signing" permissions for the certificate as a "Subordinate" Certificate Authority.
Typically you will go with Method 1 or 2.
This article will cover Method 1 - Generating a Self-Signed Certificate.
Environment
We recommend to use self-signed certificates only for testing purposes. In production environments we strongly recommend to use certificates from trusted Certificate Authorities.
An Internal Certificate Authority is always better than a self-signed certificate.
Resolution
The first step to this is to look on the PGP Server and see if a certificate already exists, or if a new one simply needs to be created.
In this example, the PGP Server already has a certificate assigned that we will be replacing:
Hover over the Org Cert Delete icon and you should see "Delete Organization Certificate":
The following message will appear:
Click OK, and then you will have the option to "Generate Organization Certificate":
The following options appear. Enter a common name, such as the domain name. In this example, the domain "example.com" will be used.
The other fields are optional, but useful.
Ensure that no internal information is associated with these fields as external recipients will be able to see this information:
Now a new Organization Certificate will be created on the PGP Server:
Once the new Organization Certificate is created, when user's accounts are created, a PGP Key will be created and also an SMIME certificate. The SMIME certificate expiration dates will coincide with what is shown on the Org Key.
To see what this is, click on the Organization Key:
In this case, we've actually made some special modifications to the Org Key and set the key to "Never" expire. Now look at the properties of the Org Certificate:
Notice the Org Certificate has an expiration date 10 years in the future. This is not typically normal, but will happen this way because the Org Key is set to never expire.
If the Org Key expires in 5 years, the Org Cert will typically be set to expire in 5 years.
The user certs themselves will take on the Key Renewal periods. For more information on individual key renewal policies, see the following KB:
Now Click on the Org Cert and export the Public Key so you can provide this to your external recipients.
Note: It is very important to export only the public portion:
When you save the public portion of the Org Cert, be sure to rename it so it's easy to distinguish:
Once users send email, or get keys created, they will have their own user certs that you can view on their accounts.
Provide the Org Cert to external domains so that the user certs can then be trusted for email encryption.
Error upon Importing Certificates Stating Incorrect Password
If you are importing a certificate to the PGP server and it states the password is incorrect, when you know it is correct, please reach out to Symantec Encryption Support for further Guidance:
Reference: EPG-31906/IMSFR-2
If any further guidance is needed, reach out to Symantec Encryption Support.
Additional Information
Feedback
