search cancel

Renewing the Symantec Encryption Management Server Organization Certificate generates duplicate client certificates

book

Article ID: 161922

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Renewing a Symantec Encryption Management Server Organization Certificate may result in duplicate client certificates being generated if the Organization Certificate was initially created in an earlier release.

The duplicate client certificates will be generated with the following upgrade paths:

  1. Organization Certificate created in PGP Universal Server 2.12 and renewed in PGP Universal Server 3.x.
  2. Organization Certificate created in Symantec Encryption Management Server 3.3.2 MP13 or below and renewed in Symantec Encryption Management Server 3.4 and above.


SKM key mode
For example, prior to the Organization Certificate being renewed, a user using SKM key mode will have user certificates like this visible in the administration console:

SKM User certificates prior to Organization Certificate renewal

After the Organization Certificate is renewed and the twice daily key renewal process has run on the server, a second signing certificate will be generated for the user:

SKM User certificates after Organization Certificate renewal


GKM or CKM key mode
For a user using GKM or CKM key mode, prior to the Organization Certificate being renewed the user certificate will look like this:

CKM User certificates prior to Organization Certificate renewal

After the Organization Certificate is renewed and the twice daily key renewal process has run on the server, a second certificate will be generated for the user:

CKM User certificates after Organization Certificate renewal


Cause

This occurs because the default order of the attributes within the Subject and Issuer fields in the Organization Certificate differs depending on which release is being used.

To confirm this change:

  1. Export the public Organization Certificate to a *.pem file.
  2. Rename the *.pem file *.cer or *.crt so that it can be opened in Windows.
  3. Browse to the file in Windows Explorer and double-click on the file.
  4. Click on the Details tab and scroll down to the Subject field.

An Organization Certificate generated in PGP Universal Server 2.x has the following order of attributes in the Subject and Issuer fields:

Organization Certificate generated in PGP Universal Server 2.x

An Organization Certificate generated in Symantec Encryption Management Server (and PGP Universal Server) 3.0 to 3.3.2 MP13 has the attributes in the Subject and Issuer fields in reverse order compared to PGP Universal Server 2.x:

Organization Certificate generated in PGP Universal Server 3.x or Symantec Encryption Management Server

An Organization Certificate generated in Symantec Encryption Management Server 3.4 and above has the attributes in the Subject and Issuer fields in almost the same order as PGP Universal Server 2.x - the difference is that the OU and O fields are reversed:

Organization Certificate 3.4

The Issuer field of a client certificate is identical to the Subject field of its Organization Certificate.

If the order of attributes in the Organization Certificate's Subject field changes then a new client certificate is generated. This is because collectively the attributes in the Subject field of an Organization Certificate comprise the certificate's Distinguished Name.  

When renewing client certificates, Symantec Encryption Management Server detects that the Organization Certificate has been replaced, rather than having its validity date extended.

Resolution

Duplicate client certificates caused by these changes to the attribute order of the Organization Certificate are very unlikely to result in any issues. Note that the older duplicate client certificates will be deleted automatically once they have expired.

In Symantec Encryption Management Server 3.4 and above it is possible to avoid duplicates being generated because there is a setting that determines the default order of attributes in the Organization Certificate Subject and Issuer fields. There are three possible options. Please contact Support for further details:

  1. The default Symantec Encryption Management Server 3.4 order which is very similar to the order in PGP Universal Server 2.x.
  2. The order used in PGP Universal Server 2.x.
  3. The order used in Symantec Encryption Management Server 3.3.2 MP13 and below.

In Symantec Encryption Management Server 3.3.2 MP13 and below, the only way to ensure compatibility when renewing an Organization Certificate originally created in PGP Universal Server 2.x is as follows:

  1. Build a temporary PGP Universal Server 2.x.
  2. Export the Organization Key from Symantec Encryption Management Server being sure to include the private key.
  3. Import the Organization Key into PGP Universal Server 2.x.
  4. Generate a new Organization Certificate in PGP Universal Server 2.x, being sure to use exactly the same values for the Issuer attributes.
  5. Export the public Organization Certificate from PGP Universal Server 2.x.
  6. Import the public Organization Certificate into Symantec Encryption Management Server.
  7. If after 12 hours there are no duplicate client certificates then this procedure has been successful.

Attachments