Looking up S/MIME certificates for users managed by PGP Encryption Server using Outlook (Symantec Encryption Management Server)
search cancel

Looking up S/MIME certificates for users managed by PGP Encryption Server using Outlook (Symantec Encryption Management Server)


Article ID: 171278


Updated On:


Encryption Management Server Gateway Email Encryption


To send S/MIME encrypted email messages to a user managed by the PGP Encryption Server (Symantec Encryption Management Server), you need to obtain the user's public S/MIME certificate.

If your organization also uses a PGP Encryption Server, the two Servers can perform key lookups on each other. PGP Encryption Desktop Email (Symantec Encryption Desktop) can also be used to lookup keys on the remote PGP Server.

If your organization does not use a PGP Encryption Server and you do not use Encryption Desktop Email then Microsoft Outlook could be used but some configuration is required.


Microsoft Outlook can find and download S/MIME certificates for users managed by the PGP Encryption Server. This is possible by adding the remote PGP Server as an LDAP Address Book in Microsoft Outlook.

The following requirements apply:

  1. The PGP Encryption Server needs to have the Keyserver service enabled and accessible by remote hosts over the Internet using the LDAP port (389).
  2. Outlook needs to be able to connect over the Internet to the remote PGP Encryption Server using the LDAP protocol.
  3. Your private S/MIME certificate needs to be installed in Outlook.
  4. You must have installed the remote PGP Encryption Server's public Organization Certificate as a Trusted Root Certification Authority in the Windows certificate store. If you have a Web Email Protection or PDF Email Protection account on the PGP Server, you can upload your public S/MIME certificate to the server by logging in, clicking on Settings and choosing Key or digital ID/certificate. Once you have uploaded your certificate, your are given the option of downloading the PGP Encryption Server public Organization Certificate.

To add an LDAP address book in Microsoft Outlook 2013, please follow the following steps. Also please see the Microsoft article Add or remove an address book. The steps are almost identical in all versions of Outlook:

  1. In Outlook, click on File / Account Settings.
  2. Click on the Address Books tab.
  3. Click on New.
  4. Accept the default of Internet Directory Service (LDAP).
  5. In the Server Name field, enter the public FQDN of the PGP Encryption Server key server. For example, keys.example.com.
  6. Click on the More Settings button.
  7. Click on the Search tab.
  8. In the Search Base section, click on the Custom radio button and enter the following search string:
  9. Click the OK button to save the new address book.
  10. Close Outlook and open it again.

To use the new LDAP address book to send an S/MIME encrypted message, do the following:

  1. Compose a new message.
  2. Click on the To: button. This allows you to search address books.
  3. By default, the local Contacts address book is selected. 
  4. In the drop down list of address books, select the LDAP address book that points to PGP Encryption Server. This will be called, for example, keys.example.com.
  5. In the Search text box, enter the full email address of the PGP Encryption Server internal user, for example, [email protected] and click the Go button to search.
  6. Outlook will connect to the remote PGP Encryption Server and search for the name matching the email address.
  7. Highlight the name and click on the To: button to add it as a recipient. You can also copy the name to the local Contacts address book at this point (see below).
  8. Click on the Options menu and then click on the Encrypt button and, optionally, the Sign button.
  9. Send the message.

Outlook will look in the local Contacts address book by default and the local Contacts address book can store far more information for each contact than just their name and email address. To copy an Encryption Management Server user from the LDAP address book to the local Contact address book, follow the above steps and after step 6 do the following:

  1. Double click on the name of the PGP Encryption Server user.
  2. Click on the Add to Contacts button to create a new local contact entry.
  3. Edit the fields in the contact record as desired and then click Save & Close.

Users managed by the PGP Encryption Management Server can only send S/MIME encrypted messages if the Outlook user is an External User and their public S/MIME certificate has been imported into Encryption Management Server. The easiest method of doing this is to configure the Outlook user as a Web Email Protection user. They can then upload their public S/MIME certificate themselves (see above).