Encryption Management Server enables the Certificate Revocation Service by default
search cancel

Encryption Management Server enables the Certificate Revocation Service by default

book

Article ID: 174739

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

The Encryption Management Server Certificate Revocation service is enabled by default.

Environment

Symantec Encryption Management Server 3.3.2 MP13 and above.

Cause

The Certificate Revocation service publishes the Certificate Revocation List (CRL) on http.  Encryption Management Server listens on port 80 and third parties check the CRL by connecting to Encryption Management Server over http and accessing the *.crl file.

All certificates contain an attribute called CRL Distribution Points and this attribute contains the URL of the Certificate Revocation List. This applies both to certificates issued by well known Certificate Authorities and those issued by Encryption Management Server.

Email clients check the CRL when sending an encrypted message in order to confirm that the certificate to which they are encrypting the message has not been revoked.

Generally, if the email client cannot check the CRL they will still encrypt the message. By default, Encryption Management Server will also encrypt messages even if the recipient's CRL cannot be checked, though it will issue a warning in the Mail log. Encryption Management Server will also check using OCSP which is an alternative mechanism to CRL.

Resolution

Encryption Management Server automatically creates S/MIME certificates for internal users if an Organization Certificate is present. If no Organization Certificate exists, the Certificate Revocation service can be disabled. This will stop Encryption Management Server from listening on TCP port 80 and accepting inbound http connections.

If Encryption Management Server does have an Organization Certificate, internal users will be issued with S/MIME certificates. To comply with standards, it is best practice to enable the Certificate Revocation service and permit inbound http connections from the Internet. In addition, Encryption Management Server should be permitted to access the CRLs of third parties by making outbound connections over http.

Additional Information

235862 - Symantec Encryption Management Server unable to process mail when using OCSP

163194 - Symantec Encryption Management Server may encrypt messages to revoked S/MIME certificates if the CRL or OCSP is unavailable

171558 - Inbound S/MIME messages fail to be decrypted if Encryption Management Server cannot make outbound HTTP connections

Powered by Wolken Software