HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server (PGP Server)
search cancel

HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server (PGP Server)

book

Article ID: 180143

calendar_today

Updated On:

Products

Encryption Management Server File Share Encryption Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

 

Resolution

This article provides step-by-step instructions for adding, inspecting, and changing trusted keys and certificates in PGP Universal 10.5 and above.

HOW TO: Work with Trusted Keys and Certificates on PGP Server

Trusted Keys and Certificates can be found under the Organization/Trusted Keys tabs. They are keys and certificates that you trust but are not part of the SMSA created by PGP Universal.

In those cases where your PGP Universal Server cannot find a public key for a particular user on any of the keyservers you have defined as trusted, it will also search the default directories. If it finds a key in one of the default directories, it will trust (and therefore be able to use) that key only if it has been signed by one of the keys in the trusted keys list.

PGP Universal can use S/MIME only if it has the root certificates from the CAs available to verify the client certificates. These CAs can be in your company or they can be an outside-managed CA.

To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card. PGP Universal Server comes with information on many public CAs already installed on the Trusted Keys and Certificates card. Only in-house CAs or new public CAs that issue user certificates need to be manually imported. You can inspect, export (save on your machine), or delete the root certificates at any time.

Trusted Certificates can be in any of the following formats: .cer, .crt, .pem and .p7b.

  • Entrust Authority Security Manager
  • RSA Security KCA 6.5
  • Baltimore UniCERT 5.0
  • Microsoft Certificate Services
     

Inspecting and Changing Trusted Key Properties

  1. In the Administration Console go to the Organization>Trusted Keys tab.
     
  2. Click on the User ID (the name) of the trusted key or certificate that you want to inspect.
    The Trusted Key Info dialog appears.
     
  3. Inspect the properties of the trusted key or certificate you selected, you may need to click more to see all the certificate data.
     
  4. To export the trusted key, click Export and save the file to a desired location
     
  5. To change the properties of the trusted key or certificate, check or uncheck any of the following:

    Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.

    Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.

    Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.
     
  6. Click Save.

Adding a Trusted Key or Certificate

  1. Under the Organization/Trusted Keys tabs, click Add Trusted Key near the bottom of the screen. The Add Trusted Key dialog appears.
     
  2. To import a trusted key saved in a file, click Browse and choose the file that contains the trusted key or certificate you want to add.
     
  3. To import a key in key-block format, paste the key block of the trusted key or certificate into the "Import Key Block" box (you will need to copy the text of the trusted key or certificate first in order to paste it).
     
  4. You can trust the keys and certificates for different things:

    Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.

    Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.

    Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.
     
  5. Click Save
     

Additional Information

257339 - How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server

155218 - HOW TO: Generate a new self-signed Organization Certificate for PGP Server for SMIME Email Encryption

180416 - How to Install an SSL Certificate for Symantec Encryption Management Server (PGP Server)

176302 - Renewing the Endpoint Encryption Management Server TLS certificate

180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server

Powered by Wolken Software