BUG REPORT: Symantec Encryption Desktop (previously PGP Desktop) Displays an Error When Creating PGP Bundle Keys From x.509 Certificates on a Smartcard

book

Article ID: 156242

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server

Issue/Introduction

In an environment with Symantec Encryption Management Server (previously PGP Universal) and directory synchronization enabled users might not be able to generate their CKM mode PGP keys from x.509 certificates on a smartcard. This problem occurs when the same certificates are published in LDAP attribute userCertificate:binary.


 

 

The Symantec Encryption Desktop enrollment wizard will complain that the no key matches the key management mode.

 

 

Cause

The cause is a collision of the certificates imported at the client and the ones that are being imported through the directory synchronization method.

Resolution

Symantec Corporation is committed to product quality and satisfied customers.  This issue is currently being considered by Symantec Corporation to be addressed in a forthcoming version or Maintenance Pack of the product.  Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.

Workaround:

When the sync of certificates from LDAP is disabled the issue goes away.

In /etc/ovid/prefs.xml add the following to the <key-generation> section

<ldap-sync-certificates>false</ldap-sync-certificates>


Applies To

Symantec Encryption Management Server with directory-synchronization + LDAP/Active Directory with userCertificate:binary populated + x509 certificates on smartcard