Encryption Management Server may allow revoked certificates to be imported and used for email encryption.
Prior to release 3.4 MP1 the following certificate validation occurs:
Release 3.4 MP1 contains a new configuration setting to enforce stricter certificate validation. When the new setting is enabled, the following validation occurs:
If a user certificate is revoked, Encryption Management Server logs a warning like this in the Administration log if it is attempted to be imported, providing the certificate's chain is trusted:
Not importing user "<[email protected]>" (KeyID: 0x0ABC1D23) because the key has been revoked
Encryption Management Server includes over one hundred trusted certificates from well known Certificate Authorities. Therefore, the revocation status of many S/MIME certificates will be checked automatically. Exceptions include S/MIME certificates issued by internal Certificate Authorities and certificates found on third party keyservers (Encryption Management Server can be configured to search automatically for certificates on third party keyservers).
To trust a new Root or Intermediate certificate, use the Add Trusted Key button on the Keys / Trusted Keys page of the Encryption Management Server administration console and ensure that the option Trust key for verifying mail encryption keys is enabled.