X.509 Certificate is not Updated with New Email Address After Email Address is Changed


Article ID: 156886


Updated On:


Symantec Products


An end-user has a a key and attached to the key is a X.509 certificate based on the e-mail address for signing and encrypting e-mail messages with S/MIME.

When the e-mail address changes (e.g. the email name changes), this change is correctly synchronized to the end-user object in PGP Universal Server. However, the key and X.509 certificate fail to be synchronized with the new email address and continue to use the former e-mail address.



The e-mail address is a fixed value when generating the X.509 certificate and can not be updated afterwards. A new certificate needs to be generated, since the e-mail address is also not updated on the key itself, it also needs to be regenerated.


In CKM, SCKM, and GKM key modes:

In all the 3 key modes, the keypair is generated by PGP Desktop and depending on the key mode chosen, the key is partially or fully synchronized with PGP Universal Server.  To generate a new key that includes a new X.509 certificate for the end-users email address:

  1. Open PGP Desktop.
  2. Click  Tools > Options and then select Advanced.
  3. Click on the button Reset Key. The PGP Key Generation Wizard is displayed.
  4. Choose to generate a New Key in the desired key mode and enter a passphrase if needed.

Warning: Do not remove the old key and certificate from PGP Desktop, the end-user needs to have access to the private key of the old certificate to be able to decrypt email messages that were encrypted to that certificate.


When using SKM key mode:

In SKM mode, the key and certificate are completely managed by PGP Universal Server.

The steps in a brief list:

  1. Change the e-mail address for the user account (in Active Directory/Microsoft Exchange/etc).
  2. Export the x.509 encryption certificate and complete key.
  3. Remove complete key, and PGP Universal Server will generate a new one with the next outbound e-mail for this user.
  4. Import the "old" x.509 cert on the end-users workstation.

After the e-mail address is changed on the user account (in AD/ Exchange/etc.), you will need to export the "old" x.509 encryption certificate from PGP Universal Server.

  1. Log in to the PGP Universal Server administrative interface.
  2. Under "Consumers" > "Users" find the user account and click on the name to open the properties
  3. Under the heading "Managed keys" there should be 1 key listed which should be in SKM mode. Click on the "Key ID" to open the properties of the key.
  4. Under the heading "Certificates" there should be two certificates listed, one for signing "digital Signature" and one for encryption "keyEncipherment, dataEncipherment, keyAgreement". This last certificate you will need to export.
  5. Click on the "Export" button next to the encryption certificate, choose to "Export Keypair" and secure it with a passphrase if required.
  6. Close the export screen. Also export the complete PGP key for the user. Click on the "Export" button in the top section with the user details. Choose to "Export Keypair" and secure it with a passphrase if required.
  7. Close the export screen. And press the "Delete" button on the top section of the screen. It will ask if you are sure to delete this key. Answer OK.


The user account is still there, but without any keys attached.  PGP Universal Server will generate a new keypair including new x.509 certificates for signing and encryption when an outbound mail is processed for this end-user. This includes the new email address, and if applicable also the new name on the user account itself.

In case an external party sends an encrypted email to the end-user and used the old encryption certificate, PGP Universal Server is unable to decrypt this message - and it will be passed through unmodified to the end-user.

You will need to import the old encryption certificate to the end-users machine. PGP Universal Server only supports one x.509 certificate for signing and one for encryption per user account. So it is not possible to import the old encryption certificate back into Universal Server. On Microsoft Windows you can import the exported "old" encryption certificate in the following way:

On the end-users machine open certmgr.msc

  1. Right click the "Personal" folder and choose "All Tasks" > "Import"
  2. Browse to the location of the exported certificate, change the file type to "Personal Information Exchange (*.pfx, *.p12), and open the file.
  3. Enter the passphrase which you used with the export of the cert.
  4. Make sure that the Certificate Store is set to "Personal"
  5. They cert should be imported ok.

The end-user experience with reading mails encrypted to the old x.509 certificate is a bit different. You will not see the PGP decryption banners around the message. Outlook for instance shows a blue lock icon with the message to show it is encrypted. But sending out e-mail encrypted has no change in experience.


Applies To

PGP Universal Server with an Organization Certificate added that is used to generate X.509 certificates for end-users.