HOW TO: Import Keypairs to the Keyserver's Keyrings

book

Article ID: 180113

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

 

Resolution


This article describes how to import keypairs (public and private keys) to your organization's existing Keyserver keyrings.


In certain situations, and in order to enforce some policies, it is necessary to add keypair(s) to the actual public and private keyrings of your PGP Keyserver. It is important to understand the difference between the PGP Keyserver's keyrings and its database of public keys. The Keyserver's database of public keys is quite simply a storage area into which users may place a copy of their public key for others to retrieve. By way of contrast, the PGP Keyserver's keyrings contain both public and private keys which may be used to secure the Keyserver and enforce certain policies.

This article gives step-by-step instructions for importing keypairs (public and private keys) to the keyrings of your PGP Keyserver.

 

If your security policy specifies that multiple keypairs will be used to enforce multiple policies, it is recommended that you plan ahead and import all necessary keypairs at once.
Below is a basic description of the four steps that must be completed in order to import one or more keypairs to your PGP Keyserver's keyrings:

  • Step 1: Using a computer which has PGP Desktop installed, export a copy of the public and private keypair(s) which will be imported to the Keyserver's keyrings.
  • Step 2: On the PGP Keyserver computer, stop the Keyserver services and copy the existing public and private keyring files.
  • Step 3: Transfer the Keyserver's keyring files to the PGP Desktop computer and import the public and private keypair(s) exported in Step 1.
  • Step 4: Transfer the updated Keyserver's keyring files back to the PGP Keyserver computer and restart the Keyserver services.


 

Step 1: Export the keypair(s) which will be added to your Keyserver's keyrings

This step must be completed on a computer which has PGP Desktop installed, and which contains the keypair(s) which you will be adding to your Keyserver's keyrings. If you have already exported a copy of the public and private keypair(s) which will be added to your Keyserver's keyring, you may skip to Step 2 of this article.

 

  1. On the PGP Desktop computer which contains the keypair(s) to be imported to PGP Keyserver's keyrings, open PGPkeys (Click Start>Programs>PGP>PGPkeys).
  2. Right click on the keypair you wish to add to your Keyserver's keyrings.
  3. Click Export. At this point, the Export Key to File window will appear.
  4. Choose the name and location of the keypair.
  5. Make sure you check the Include Private Key(s) box. If you do not check this box, the private key will not be exported.
  6. Click Save. The public and private keypair will be exported to the location you specified.
  7. Repeat steps 1-6 for any additional keypair(s) which must be added to the Keyserver's keyrings.

 

Step 2: Stop Keyserver services and copy existing keyrings

Both portions of this step must be completed on your PGP Keyserver computer. Stop Keyserver services

 

  1. On your Keyserver computer, click Start>Settings>Control Panel.
  2. On Windows NT computers, double-click the Services applet. On Windows 2000 computers, double-click Administrative Tools, then double-click the Services applet.
  3. Select and then stop the following three services: PGPsdkService, PGPApache, and PGPKeyserver.
  4. Close the Services applet and close the Control Panel.

Copy Keyserver keyrings

 

  1. Browse to the directory which contains your Keyserver's keyring files. By default this directory is: C:\Program Files\Network Associates\PGP Keyserver\Etc
  2. Copy the PGPkeyserver-pubring.pkr and PGPkeyserver-secring.skr files contained in this directory.
  3. As a backup measure, place a copy of these two files in a neighboring directory of your choice.
  4. At this point you must prepare to transfer copies of these two keyring files to the PGP Desktop computer used in Step 1 of this article. This could be accomplished in a number of ways: by placing the copies on removable media (such as floppy, zip, or CD); by placing them on a secure FTP server; or even by emailing them to yourself. Since it will provide the highest level of security, PGP recommends using removable media.

 

Step 3: Transfer keyring files and import keypair(s)

This step must be completed on the same PGP Desktop computer used in Step 1 of this article.

 

  1. On the PGP Desktop computer, create a new directory named Keyserver (this may be created in a location of your choice).
  2. Transfer the copies of the keyring files (created in Step 2 of the previous step) to your newly-created Keyserver folder.
  3. Now click the PGPtray icon, click Options, and click the Advanced tab.
  4. Make sure the box near the bottom labeled "Automatic keyring backup when PGPkeys closes" is checked, then click OK.
  5. Click the PGPtray icon, click Options, then click the Files tab.
  6. Make note of the path and filenames listed for both Public and Private Keyrings (this is the location of the current keyrings on the local computer, and must be restored later).
  7. Click the top Browse button and navigate to the Keyserver folder you created in step 1 of this step.
  8. Select the PGPkeyserver-pubring.pkr file, then click Open.
  9. Click the bottom Browse button and navigate to the Keyserver folder you created in step 1 of this step.
  10. Select the PGPkeyserver-secring.skr file, then click Open.
  11. Click OK to close PGP Options.
  12. Open PGPkeys (click Start > Programs > PGP > PGPkeys). At this point you will see the keys that are already on your Keyserver's keyrings.
  13. On the PGPkeys window, click the Keys menu, then click Import.
  14. Browse to the keypair file which you will be adding to the keyring of your Keyserver (you should be browsing to a keypair which you exported in Step 1 of this article).
  15. Click the Open button. The Select Keys dialog box now appears.
  16. Select the keypair and click the Import button.
  17. Click OK when you are notified that the trust value on these keys must be set manually.
  18. Right click on the newly-imported keypair from inside the PGPkeys window, then click Key Properties.
  19. Check the Implicit Trust box, then click Close.
  20. Repeat steps 13-19 for any additional keypairs which must be added to the Keyserver keyrings.
  21. Once all necessary keypairs have been imported, close the PGPkeys window.
  22. Repeat step 5 of this step.
  23. Type (or browse to) the original path and filenames of both the Public and Private Keyrings which you noted in step 6 of this step and click OK.

 

Step 4: Transfer keyring files back to your Keyserver

Step 1 of this step must be completed on the PGP Desktop computer. The remaining steps must be completed on the PGP Keyserver computer.

 

  1. At this point you must prepare to transfer the PGPkeyserver-pubring.pkr and PGPkeyserver-secring.skr files (located in your Keyserver folder) back to your PGP Keyserver computer. This could be accomplished in a number of ways: by placing the files on removable media (such as floppy, zip, or CD); by placing them on a secure FTP server; or even by emailing them to yourself. Since it will provide the highest level of security, PGP recommends using removable media.
  2. Now transfer the PGPkeyserver-pubring.pkr and PGPkeyserver-secring.skr files to the computer which has PGP Keyserver installed.
  3. Copy the PGPkeyserver-pubring.pkr and PGPkeyserver-secring.skr files into the directory for keyring files (default): C:\Program Files\Network Associates\PGP Keyserver\Etc
  4. Choose to replace all existing files.
  5. Click Start, click Settings, then click Control Panel.
  6. On Windows NT computers, double-click the Services applet. On Windows 2000 computers, double-click Administrative Tools, then double-click the Services applet.
  7. Select and then start the following three services: PGPsdkService, PGPApache, and PGPKeyserver. If you are running the Keyserver replication engine, remember to start the PGP Replication Engine service.
  8. Close the Services applet and close the Control Panel.

At this point, your updated PGP Keyserver keyring is ready to be used. You may now configure Keyserver policies which will use the new keypair(s) on your Keyserver keyrings.