An end-user has a a key and attached to the key is a X.509 certificate based on the e-mail address for signing and encrypting e-mail messages with S/MIME.
When the e-mail address changes (e.g. the email name changes), this change is correctly synchronized to the end-user object in PGP Universal Server. However, the key and X.509 certificate fail to be synchronized with the new email address and continue to use the former e-mail address.
The e-mail address is a fixed value when generating the X.509 certificate and can not be updated afterwards. A new certificate needs to be generated, since the e-mail address is also not updated on the key itself, it also needs to be regenerated.
In CKM, SCKM, and GKM key modes:
In all the 3 key modes, the keypair is generated by PGP Desktop and depending on the key mode chosen, the key is partially or fully synchronized with PGP Universal Server. To generate a new key that includes a new X.509 certificate for the end-users email address:
Warning: Do not remove the old key and certificate from PGP Desktop, the end-user needs to have access to the private key of the old certificate to be able to decrypt email messages that were encrypted to that certificate.
When using SKM key mode:
In SKM mode, the key and certificate are completely managed by PGP Universal Server.
The steps in a brief list:
After the e-mail address is changed on the user account (in AD/ Exchange/etc.), you will need to export the "old" x.509 encryption certificate from PGP Universal Server.
The user account is still there, but without any keys attached. PGP Universal Server will generate a new keypair including new x.509 certificates for signing and encryption when an outbound mail is processed for this end-user. This includes the new email address, and if applicable also the new name on the user account itself.
In case an external party sends an encrypted email to the end-user and used the old encryption certificate, PGP Universal Server is unable to decrypt this message - and it will be passed through unmodified to the end-user.
You will need to import the old encryption certificate to the end-users machine. PGP Universal Server only supports one x.509 certificate for signing and one for encryption per user account. So it is not possible to import the old encryption certificate back into Universal Server. On Microsoft Windows you can import the exported "old" encryption certificate in the following way:
On the end-users machine open certmgr.msc
The end-user experience with reading mails encrypted to the old x.509 certificate is a bit different. You will not see the PGP decryption banners around the message. Outlook for instance shows a blue lock icon with the message to show it is encrypted. But sending out e-mail encrypted has no change in experience.
Applies To
PGP Universal Server with an Organization Certificate added that is used to generate X.509 certificates for end-users.