This is a tutorial article designed to assist administrators in working with the keys and certificates which PGP Universal Server uses and creates.
HOW TO: Configure PGP Universal Server Administrative Keys and Certificates
Before completing any steps outlined in this document, make sure you have a good understanding of the keys and certificates created and used by PGP Universal Server.
Your Organization Key is used to sign all user keys the PGP Universal Server creates and encrypts server backups. The Organization Key is what was referred to as the Corporate key in the old PGP Keyserver environment.
|Warning: You must make a backup of your Organization Key, in case of a problem with the server. That way, you can restore your server from a backup using the backup Organization Key.|
Each PGP Universal Server is pre-configured with a unique Organization Key generated by the Setup Assistant. If you would like to use different settings for this key, you may regenerate a key with the settings you prefer. This should only be done prior to deployment of the server or creation of user keys by the server.
The Organization Key will automatically renew itself one day before its expiration date. It will renew with all the same settings. If you have multiple PGP Universal Servers in a cluster, the Organization Keys on the Secondary servers in the cluster will be synchronized with the Primary server in the cluster.
An Organization Keys identification is based on the name of the managed domain for which the key was created. Organization Keys by convention have one ID per managed domain so that they can be easily found via a directory lookup.
Inspecting the Organization Key:
Regenerating the Organization Key:
|Warning: Changing the Organization Key makes all previous backups undecryptable and all validity signatures on the keys of internal users are unverifiable until they are automatically renewed. Only change the Organization Key if you fully understand the consequences of this action.
Changing the Organization Key deletes Ignition Keys. If you have hard or soft token Ignition Keys configured, regenerating the Organization Key will delete them.
Importing an Organization Key:
You also have the option of importing an existing PKCS #12 key and using that as your Organization Key.
|Caution: Changing the Organization Key deletes Ignition Keys. If you have hard or soft token Ignition Keys configured, regenerating the Organization Key deletes them. Deleting the Ignition Key stops PGP Universal Web Messenger from being stored encrypted.|
An Organization Certificate is required for S/MIME support. You can only have one Organization Certificate attached to your Organization Key. You will not be able to restore from a backup with more than one Organization Certificate associated with your Organization Key.
The PGP Universal Server will automatically generate certificates as well as keys for new internal users created after you import or generate an Organization Certificate. All internal users will receive a certificate added to their keys within 24 hours. However, the old Organization Certificate will remain on users keys until the certificate expires.
To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card. A self-signed Organization Certificate will have the same expiration date as the Organization Key, unless the Organization Key is set never to expire. If the Organization Key will never expire, the Organization Certificate will expire 10 years from the date you generate it. You must regenerate the Organization Certificate before it expires and distribute the new Certificate to anyone who uses your old Organization Certificate as a trusted root CA.
Inspecting the Organization Certificate:
Generating the Organization Certificate:
Importing the Organization Certificate:
Additional Decryption Keys (ADK)
An Additional Decryption Key (ADK) is a way to retrieve an email message if the recipient is unable or unwilling to do so and if required by regulation or security policy; every message sent by an internal user is also encrypted to the ADK. Messages encrypted to the ADK can be opened by the recipient and/or by the holder(s) of the ADK.
If you have an Additional Decryption Key uploaded, all outbound email will be encrypted to it when mail policy is applied. This setting appears in the Send (encrypted/signed) action and the setting cannot be disabled. Refer to Chapter 14, Setting Mail Policy for more information.
You can create an ADK with PGP Desktop, and then add it to your PGP Universal Server and use it. You can only have one ADK.
|Note: S/MIME messages are not encrypted to the ADK.|
If you use an ADK, PGP Universal adds the ADK to all new keys that it generates and all outbound email messages are automatically encrypted to it.
If you are going to use an ADK on your PGP Universal Server, you should import it prior to generating any user keys. You should also try to avoid changing to a different ADK later on, because doing so will result in some keys being associated with the old ADK and some with the new ADK. If you add or change an ADK, it will only be associated with the keys of new users. Existing users will not get that ADK added to their key.
Only PGP keys can be used as ADKs.
Inspecting an ADK:
Importing an ADK:
Deleting an ADK:
|Note: All keys generated while the ADK was present will continue to reference the ADK even after you delete the ADK. The change will apply only to keys that are generated after the ADK is deleted.|
Verified Directory Keys (VDK)
The Verified Directory Key is the signing key for PGP Verified Directory users outside your managed domain. It must consist of both private and public keys. Once you choose the setting to allow external users to submit their keys through the PGP Verified Directory, you must upload a Verified Directory Key. External users will not be able to submit their keys to PGP Verified Directory until you have added the Verified Directory Key.
If you have multiple PGP Universal Servers in a cluster, the Verified Directory Keys on the Secondary servers in the cluster will be synchronized with the Primary server in the cluster.
Inspecting the VDK:
Importing an VDK:
Deleting the VDK:
Certificate for SSL/TLS Connections
To see the Certificates card, navigate to the Network Settings card (System/Network in the administrative interface) and click the Certificates button in the lower left corner of the screen.
The Certificates card lets you view existing certificates, import existing certificates, and generate self-signed certificates and new certificate requests.
The Setup Assistant automatically creates a self-signed certificate for use with SSL/TLS traffic. Because this certificate is self signed, it may not be trusted by email or Web browser clients. Specific behavior in response to this self-signed certificate depends on the specific email or Web browser client and its security settings.
|Note: PGP Corporation recommends you obtain a valid SSL/TLS certificate for each of your servers from a public Certificate Authority. Not doing so may lead to incompatibilities with some email clients and Web browsers..|
You can also use pre-existing keys and certificates for SSL/TLS traffic (you must import them first so that they appear on the Certificate card, then you can assign them using the Certificate Assignment card).
Inspecting the SSL/TLS Certificate:
Importing an SSL/TLS Certificate: