ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to Install an SSL Certificate for Encryption Management Server


Article ID: 180416


Updated On:


Encryption Management Server Gateway Email Encryption


This article explains how to create a Certificate Signing Request (CSR) for an SSL certificate and then import the certificate to Encryption Management Server.

Services such as clustering and Web Email Protection use the TLS protocol and require a server TLS certificate which includes the host name for the IP address of the server on which the service is running. To issue a certificate, the Certificate Authority needs information found in a certificate request (CSR).

There are four stages to this process:

  1. Create the certificate signing request (CSR) file and submit it to the CA (Certificate Authority).
  2. Ensure that Encryption Management Server trusts the certificates in the server certificate's issuing chain or certification path.
  3. Import the signed server certificate.
  4. Assign the certificate to the correct network interface of Encryption Management Server.


Symantec Encryption Management Server 3.4.2 and above.


Create and Submit a Certificate Signing Request (CSR)

  1. Log into the admin console.
  2. Navigate to System / Network and click on the Certificates button at the bottom of the page.
  3. Click the Generate CSR button.

    NOTE:  You can also choose to generate a Self Signed Certificate if you do not intend to use an external or internal Certificate Authority.
  4. Type in the Fully Qualified Domain Name (FQDN) for the server. For example,
  5. Do not enter an email address in the Contact Email field. TLS certificates do not generally include an email address.
  6. Optionally, enter your organization's name in the Organization Name field.
  7. Optionally, enter your organization's unit designation in the Organization Unit field.
  8. Optionally, enter a city or locality, as appropriate, in the City/Locality field.
  9. Optionally, enter a state or province, as appropriate, in the Province/State field.
  10. Optionally, enter a two letter ISO 3166 country code in the Country field.
  11. To generate a Certificate Signing Request (CSR), click the Generate CSR button.
  12. The CSR window opens, showing the BEGIN CERTIFICATE REQUEST text.
  13. Select all of the text, copy and paste it into a text editor and save the file. Then click the OK button.
  14. The certificate appears on the Certificate page as Pending. If you click on the certificate name you will see the CSR text and can copy it again if required.
  15. Submit the text file containing the CSR or its contents to your Certificate Authority (CA).
  16. The CA will send a public server certificate back to you. The CA will also send you the root certificate and any intermediate certificates.


Ensure that the Certificates in the Issuing Chain are Trusted

Before you import the server certificate, you must ensure that Encryption Management Server trusts the certificates in the server certificate's issuing chain or certification path. Every server certificate has an issuing chain of certificates. Generally, the Certificate Authority will send you these certificates or direct you to a web site from where you can download them. There is always a root certificate in the issuing chain and at least one intermediate certificate. To ensure that Encryption Management server trusts them please do the following:

  1. From the admin console, click on Keys / Trusted Keys.
  2. Search for the name of the certificate to check if it is already present. If you find a certificate that has a similar name to the one you are looking for, check whether the expiry date matches and, to be completely sure it is the same certificate, check the fingerprint / thumbprint.
  3. If the certificate is not already present, click on the Add Trusted Key button.
  4. Click on the Choose File button, browse to the location of the **Root Certificate** and click Open. Note that the certificate must be in Base-64 encoded format, not DER encoded binary format.
  5. At a minimum, click to enable the option Trust key for verifying SSL/TLS certificates.
    TIP: Check all the boxes so it's easy to find the cert you just imported as it will show "FULL".
  6. If Encryption Management Server processes email, enable the option Trust key for verifying mail encryption keys.
  7. Click the Save button.
  8. Repeat the above steps to import the root certificate and all applicable **Intermediate Certificates** (Some CAs may have one intermediate, some may have multiple, check with your CA to ensure you have all of them present.  Double-click the Root Certificate you have and under Certificate Path, check the chain).

    IMPORTANT TIP: Check the thumbprint/fingerprint of the Root Certificate Authority and Intermediate Certificate Authority and make sure they are listed in the Trusted keys.  This will make it possible for the certificate chain file to be created once you assign the certificate to the interface.

Import the Server Certificate

  1. Open the server certificate that the Certificate Authority sent you in a text editor and copy all the text to the clipboard.
  2. From the administration console, click on System / Network and then click the Certificates button.
  3. Click the + button in the Import column of the pending certificate you are adding. The Add Certificate to Key dialog box appears.
  4. Paste the certificate text from the clipboard into the Certificate Block box.
  5. Click Save to import the new certificate.

Assign the Server Certificate to the Correct Interface

  1. Click on System / Network.
  2. Select the correct Interface from the interface drop down list.
  3. Select the new certificate from the Assigned Certificate drop down list.
  4. Click Save.


Note for Sans Alternative Names attribute
Symantec Encryption Management Server does not have the ability to create a SANs for additional hostnames for the PGP server.  If you would like to have this functionality, please log a new support ticket with Symantec Encryption to be added to this feature request.

As a workaround, generate the CSR, and your Certificate Authority should allow you to add these attributes manually and then the certificate can be added to the PGP server.

Additional Information


154069 - Best Practices: Environmental Requirements for Symantec Encryption Management Server clustering (AKA PGP Server)

227219 - Making Symantec Endpoint Encryption Management Server Public Facing

227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)