search cancel

Symantec Encryption Management Server displays the Organization attribute as the User ID for Trusted Certificates

book

Article ID: 163239

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Symantec Encryption Management Server includes over one hundred certificates from well known Certificate Authorities. These are shown in the administration console under Keys / Trusted Keys.

The User ID field for many of these certificates is identical. For example, there are over 10 trusted certificates with a User ID of VeriSign. This can make it difficult to determine whether a certificate that an administrator wishes to add to Trusted Keys is already present.

Cause

The User ID field shows the Organization (O) attribute from the Subject field of the certificate.

For example, a trusted certificate with a User ID of Thawte has the following attributes in its Subject field:

CN = Thawte Timestamping CA
OU = Thawte Certification
O = Thawte
L = Durbanville
S = Western Cape
C = ZA

Resolution

To identify a trusted certificate, click on its User ID and make a note of its Fingerprint. This is unique for each certificate and is displayed in upper case. In Microsoft Windows, double click on the certificate to view its properties and under the Details tab note its Thumbprint which is displayed in lower case. If Fingerprint and Thumbprint are identical (ignoring the case of the characters) then the certificates are identical.

Note that if an administrator adds a certificate to Trusted Keys that is already present, the existing certificate will be replaced; a duplicate User ID will not be created.

If the User ID field under Trusted Keys displayed the Common Name (CN) attribute from the Subject field of the certificate, it would be quicker to identify certificates because Common Name is generally unique. This change is under consideration for a future release of Symantec Encryption Management Server.
 
TIP: If importing a Root or Intermediate Certificate is necessary, an easy way to visibly know which cert was just imported is by checking the following three boxes upon import:
 
  • Trust key for verifiying mail encryption keys
  • Trust key for verifying SSL/TLS certificates
  • Trust key for verifying keyserver client certificates
     

The default trust for certificates is "Mail, TLS"  Upon import and checking all the boxes above, the certificate will show up as "Full", which will be easy to distinguish as the new cert just imported.  Using the Thumbprint, however, is the only way to know for sure if the actual certificate was imported.