The Organization Certificate is an X.509 certificate that can either be self-signed or requested from a Certificate Authority (CA).
The PGP Encryption Server (Symantec Encryption Management Server) uses the Organization Certificate to generate X.509 certificates for internal users and to provide Secure Multipurpose Internet Mail Extensions (S/MIME) functionality.
If you are not performing any S/MIME Encryption, you do not need to create an Organization Certificate.
Although when looking at the Organization Key on the PGP server, it appears the key is missing, it is okay to leave it unpopulated.
Adding an Org Cert will subsequently create S/MIME certificates to end users and are wrapped inside of the PGP Encryption Desktop client keys (Symantec Encryption Desktop).
This is fine for S/MIME, but it can introduce additional key management considerations if S/MIME encryption is not being used.
Organization Certificate Functions:
*To issue new X.509 certificates to users in the managed domain(s).
Note: It is not required if your users do not need new X.509 certificates for S/MIME Email Encryption.
Attributes of Organization Certificate:
It is part of the Organization Key (an X.509 user ID).
It is not generated automatically, but can be generated or imported later.
If it exists or is added, Users will have both a PGP key and X.509 certificate (for S/MIME encryption).
If added after users’ PGP keys exist, the key will be updated at a 12-hour scheduled task
Organization Key:
Replace the server-generated Organization Key with one that doesn’t expire.
This should be done before any users send email through Encryption Management Server.
Make sure you have a backup of your Organization Keypair (not just the public key).
Organization Certificates General Guidelines, Considerations, and Features:
*It is generally recommended to use an internal CA to add as the Org Cert. This means that internally, all the S/MIME certs will be trusted.
To then trust with the outside world, you will share the public portion of the "Root" certificate to your external recipients.
*It is recommended you regenerate the Organization Certificate before it expires and distribute the new Certificate to anyone who uses your old Organization Certificate as a trusted root CA.
Note: It is not recommended to use a self-signed Organization Certificate in a production environment due to the trust issues.
*Should have no email address, or an email address not shared by any users.
*User's certificates can never expire later than the issuing Organization Certificate.
Note: Self-signed Organization Certificates will have the same expiration date as the Organization Key
Unless the Organization Key is set never to expire. If the Organization Key will never expire, the Organization Certificate will expire 10 years from the date you generate it.
*The PGP Server will automatically generate certificates as well as keys for new internal users created after you import or generate an Organization Certificate.
*All internal users will receive a certificate added to their keys within 24 hours. However, the old Organization Certificate will remain on users keys until the certificate expires.
*If users already have an X.509 certificate associated with their keys, the users do not receive a new certificate until the old certificate expires.
*An Organization Certificate is only required for S/MIME support. If you are using only Drive Encryption, and PGP Keys, you do not need to use an Org Cert for SMIME.
*You can have only one Organization Certificate attached to your Organization Key.
Using Your own Certificate Authority with PGP
You can use your own internal CA to generate the certificates and upload to the PGP server. If you do use the PGP Server, you should upload the Root CA as the signer, so that any certificates generated by the PGP Server will be signed by your Root CA.
Consult your Certificate Authority Administration team for guidance on how this is done, because it does require the keypair be imported to the PGP server. Once this is done, any user's S/MIME certs are signed by this Root CA signer by default.
Default Renewal Timeframe
The Organization Key verifies PGP keys in the managed domain. The PGP keys of internal users are signed and re-signed with a two-week signature by default (This timeframe can be adjusted). See the following KB for more information on this topic:
157933 - PGP Key Renewal - Symantec Encryption Management Server user keys are valid for only two weeks
If a server-only user (SKM) is inactive for three months, their key will not be re-signed Trust the Organization Key and it will automatically handle key verification
If the Organization Key is replaced: Existing Internal User keys become unverified until they are signed by the new key.
Important Note: It is highly discouraged to replace your Organization Key unless you know it is compromised. In most cases, it is not appropriate action to generate a new Org Key and could cause issues.
If you are thinking about replacing the Org Key, reach out to Symantec Encryption Support for further guidance.
Troubleshooting:
Scenario 1: Organization Certificate Needs to be Re-Generated
Similar to the Organization Key, the Organization Certificate establishes the S/MIME certificate for the users. These certs are also typically two weeks as mentioned above in the article about key renewal.
If your PGP Server has an Org Cert added, this means that a user certificate is generated for the PGP users automatically. This happens during scheduled key maintenance routines that are running periodically on the PGP server.
If the Org Cert is changed, this means new user certificates will be generated for the users automatically. The old user certificates will remain active until they are expired, and once expired, the new Org Cert will then be used for the creation of the new user certificate for S/MIME. The same key-renewal periods apply, so if it was 2 weeks before, it should remain for 2 weeks with the new Org Cert.
As an example, if a new User certificate was created yesterday, and today a new Org Cert is generated, the user's cert will remain the same for about two more weeks.
Once the two weeks are up, then a new user certificate will be created.
It may be fine to allow these old certificates to exist and be used until they expire as per their key-renewal interval previously assigned, but if it is necessary for the users to immediately receive a new certificate, please reach out to Symantec Encryption Support for further guidance.
Scenario 2: User Certificates were generated by the Organization Certificate on PGP Server 10.5.1 or 10.5.1 MP1 (Fixed in 10.5.1 MP2).
If you used a PGP Server to generate user certs and you were on the versions mentioned above, you will need to generate a new Organization Certificate.
This is because the OpenSSL version had a missing immutable attribute that is now fixed in 10.5.1 MP2. To ensure these needed attributes are added, a new Org Cert needs to be generated, and new user certs created by the aforementioned Org Cert.
It is recommended to export the keypair of the Org Cert prior to making the change.
Once the cert has been exported, you can generate a new Org Cert.
Important Note: When generating the new Org Cert, to expedite the user's keys being updated, change some attribute with the Org Cert.
For Example, if the "Organization Name" was "Example Group", then consider entering in "Example, Group", or "Example Group Co", something that will change the attribute itself and trigger a new user cert once the user's certs expire.
The existing certificates that are still valid (non-expired) will remain until the duration.
Note: It may be okay to leave the user's original certs as they are, but in some cases you may want to revoke them. In order to revoke the certs, you will need to click on the "Revoke" icon next to each user's Org Certs.
It may be fine to allow these old certificates to exist and be used until they expire as per their key-renewal interval previously assigned, but if it is necessary for the users to immediately receive a new certificate, please reach out to Symantec Encryption Support for further guidance.
EPG-28860
Scenario 3: Bad Passphrase In Logging
If you are receiving an error "Bad Passphrase" with the ignition key for certain keys, it is recommended to reach out to Symantec Encryption Support for further Guidance.
Scenario 4: DecodeESK Error for certain usersIf you are receiving the following error, reach out to
Symantec Encryption Support for further diagnosis
USP-00001: Received DecodeESK command from user username1 (uuid-here)
USP-00001: Decrypted ESK via consumer's group is failed, going to decrypt ESK via other key
USP-00001: Decrypting ESK failed, cannot find the decryption keys.
USP-00001: error: unable to decrypt, no key