This article provides step-by-step instructions for adding, inspecting, and changing trusted keys and certificates in the PGP Encryption Server 10.5 and above (Symantec Encryption Management Server).
Trusted Keys and Certificates can be found under the Organization/Trusted Keys tabs. They are keys and certificates that you trust but are not part of the Self Managing Security Architecture (SMSA) created by the PGP Encryption Server.
In those cases where the PGP Encryption Server cannot find a public key for a particular user on any of the keyservers you have defined as trusted, it will also search the default directories. If it finds a key in one of the default directories, it will trust (and therefore be able to use) that key only if it has been signed by one of the keys in the trusted keys list.
The PGP Encryption Server can use S/MIME only if it has the root certificates from the CAs available to verify the client certificates. These CAs can be in your company or they can be an outside-managed CA.
To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card. The PGP Encryption Server Server comes with information on many public CAs already installed on the Trusted Keys and Certificates card. Only in-house CAs or new public CAs that issue user certificates need to be manually imported. You can inspect, export (save on your machine), or delete the root certificates at any time.
Trusted Certificates can be in any of the following formats: .cer, .crt, .pem and .p7b.
Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically.
IMSFR-931
Inspecting and Changing Trusted Key Properties
Step 1: In the Administration Console go to the Organization>Trusted Keys tab.
Step 2: Click on the User ID (the name) of the trusted key or certificate that you want to inspect.
The Trusted Key Info dialog appears.
Step 3: Inspect the properties of the trusted key or certificate you selected, you may need to click more to see all the certificate data.
Step 4: To export the trusted key, click Export and save the file to a desired location
Step 5: To change the properties of the trusted key or certificate, check or uncheck any of the following:
Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.
Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.
Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.
Step 6: Click Save.
Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically.
IMSFR-931
Adding a Trusted Key or Certificate
Step 1: Under the Organization/Trusted Keys tabs, click Add Trusted Key near the bottom of the screen. The Add Trusted Key dialog appears.
Step 2: To import a trusted key saved in a file, click Browse and choose the file that contains the trusted key or certificate you want to add.
Step 3: To import a key in key-block format, paste the key block of the trusted key or certificate into the "Import Key Block" box (you will need to copy the text of the trusted key or certificate first in order to paste it).
Step 4: You can trust the keys and certificates for different things:
Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.
Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.
Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.
Step 5: Click Save
Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically.
IMSFR-931
For further guidance, reach out to Symantec Encryption Support.