PGP Encryption Server (Symantec Encryption Management Server) enables the Certificate Revocation Service by default

search cancel

PGP Encryption Server (Symantec Encryption Management Server) enables the Certificate Revocation Service by default

book

Article ID: 174739

calendar_today

Updated On: 06-03-2025

Products

Encryption Management Server Gateway Email Encryption PGP Encryption Suite PGP Key Management Server File Share Encryption

Issue/Introduction

The PGP Encryption Server (Symantec Encryption Management Server) Certificate Revocation service is enabled by default.

Environment

PGP Encryption Server 3.3.2 MP13 and above.

Cause

The Certificate Revocation service publishes the Certificate Revocation List (CRL) on http. The PGP Encryption Server listens on port 80 and third parties check the CRL by connecting over http and accessing the *.crl file.

All certificates contain an attribute called CRL Distribution Points and this attribute contains the URL of the Certificate Revocation List. This applies both to certificates issued by well known Certificate Authorities and those issued by The PGP Encryption Server .

Email clients check the CRL when sending an encrypted message in order to confirm that the certificate to which they are encrypting the message has not been revoked.

Generally, if the email client cannot check the CRL they will still encrypt the message. By default, The PGP Encryption Server will also encrypt messages even if the recipient's CRL cannot be checked, though it will issue a warning in the Mail log. It will also check using OCSP which is an alternative mechanism to CRL.

Resolution

Certificate Revocation List (CRLs)
The PGP Encryption Server automatically creates S/MIME certificates for internal users if an Organization Certificate is present. If no Organization Certificate exists, the Certificate Revocation service can be disabled. This will stop it from listening on TCP port 80 and accepting inbound http connections.

If the PGP Encryption Server does have an Organization Certificate, internal users will be issued with S/MIME certificates. To comply with standards, it is best practice to enable the Certificate Revocation service and permit inbound http connections from the Internet. In addition, it should be permitted to access the CRLs of third parties by making outbound connections over http.

CRLs by default use port 80 for non-secured transmissions and no TLS certs are assigned for these communications.

Online Certificate Status Protocol (OCSP)
OCSP verifies whether user certificates are valid. OCSP uses OCSP responders to determine the revocation status of an X.509 client certificate.
The OCSP responder does its verification in real time by aggregating certificate validation data and responding to an OCSP request for a particular certificate.
OCSP has a bit less overhead than CRL revocation. You do not have to keep downloading CRLs at the client side to maintain up-to-date certificate status information.

Additional Information

235862 - Symantec Encryption Management Server unable to process mail when using OCSP

163194 - Symantec Encryption Management Server may encrypt messages to revoked S/MIME certificates if the CRL or OCSP is unavailable

171558 - Inbound S/MIME messages fail to be decrypted if Encryption Management Server cannot make outbound HTTP connections

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No