Working with Trusted Keys and Certificates on the PGP Encryption Server (Symantec Encryption Management Server (PGP)
search cancel

Working with Trusted Keys and Certificates on the PGP Encryption Server (Symantec Encryption Management Server (PGP)

book

Article ID: 180143

calendar_today

Updated On:

Products

Encryption Management Server File Share Encryption Gateway Email Encryption Desktop Email Encryption Drive Encryption Endpoint Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

This article provides step-by-step instructions for adding, inspecting, and changing trusted keys and certificates in the PGP Encryption Server 10.5 and above (Symantec Encryption Management Server).

Resolution

Trusted Keys and Certificates can be found under the Organization/Trusted Keys tabs. They are keys and certificates that you trust but are not part of the Self Managing Security Architecture (SMSA) created by the PGP Encryption Server.

In those cases where the PGP Encryption Server cannot find a public key for a particular user on any of the keyservers you have defined as trusted, it will also search the default directories. If it finds a key in one of the default directories, it will trust (and therefore be able to use) that key only if it has been signed by one of the keys in the trusted keys list.

The PGP Encryption Server can use S/MIME only if it has the root certificates from the CAs available to verify the client certificates. These CAs can be in your company or they can be an outside-managed CA.

To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card. The PGP Encryption Server Server comes with information on many public CAs already installed on the Trusted Keys and Certificates card. Only in-house CAs or new public CAs that issue user certificates need to be manually imported. You can inspect, export (save on your machine), or delete the root certificates at any time.

Trusted Certificates can be in any of the following formats: .cer, .crt, .pem and .p7b.

  • Entrust Authority Security Manager
  • RSA Security KCA 6.5
  • Baltimore UniCERT 5.0
  • Microsoft Certificate Services
     

Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically. 
IMSFR-931

 

Inspecting and Changing Trusted Key Properties

Step 1: In the Administration Console go to the Organization>Trusted Keys tab.

Step 2: Click on the User ID (the name) of the trusted key or certificate that you want to inspect.
The Trusted Key Info dialog appears.

Step 3: Inspect the properties of the trusted key or certificate you selected, you may need to click more to see all the certificate data.

Step 4: To export the trusted key, click Export and save the file to a desired location

Step 5: To change the properties of the trusted key or certificate, check or uncheck any of the following:

Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.

Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.

Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.

Step 6: Click Save.

Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically. 
IMSFR-931




Adding a Trusted Key or Certificate

Step 1: Under the Organization/Trusted Keys tabs, click Add Trusted Key near the bottom of the screen. The Add Trusted Key dialog appears.

Step 2: To import a trusted key saved in a file, click Browse and choose the file that contains the trusted key or certificate you want to add.

Step 3: To import a key in key-block format, paste the key block of the trusted key or certificate into the "Import Key Block" box (you will need to copy the text of the trusted key or certificate first in order to paste it).

Step 4: You can trust the keys and certificates for different things:

Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.

Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.

Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.

Step 5: Click Save


Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically. 
IMSFR-931
 

For further guidance, reach out to Symantec Encryption Support.

Additional Information

178609 - How to create an SSL certificate to secure SEE Client Communication with the Symantec Endpoint Encryption Management Server (SEE)

214267 - Enable TLS/SSL for the Database on Symantec Endpoint Encryption Configuration Manager (SEE)

176302 - Renewing the Symantec Endpoint Encryption Management Server TLS certificate (SEE)

155127 - Symantec Endpoint Encryption Client communication and SEE Client Creation troubleshooting steps

155218 - HOW TO: Generate a new self-signed Organization Certificate for PGP Server for SMIME Email Encryption (PGP)

180416 - How to Install an SSL Certificate for Symantec Encryption Management Server (PGP Server)

257339 - How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server (PGP)

180143 - HOW TO: Work with Trusted Keys and Certificates on the PGP Encryption Server (Symantec Encryption Management Server (PGP)

172547 - Missing PGPtrustedcerts.asc file in Encryption Desktop client installer (String too long) - Trusted Keys Duplicated