This article explains how to create a Certificate Signing Request (CSR) for an SSL certificate and then import the certificate to Symantec Encryption Management Server (PGP Server).
We will also discuss the process to "Renew" a certificate that will soon expire.
Symantec Encryption Management Server 3.4.2 and above.
Services such as clustering and Web Email Protection use the TLS protocol and require a server TLS certificate which includes the host name for the IP address of the server on which the service is running. To issue a certificate, the Certificate Authority needs information found in a certificate request (CSR).
Because Web Email Protection is public facing, it is recommended to get a certificate from a Trusted Certificate Authority, such as Digicert to be able to assign the certs.
If the PGP Server is in the mailflow, it is also highly recommended to get a trusted certificate for TLS Email communications to be seamless.
There are four stages to this process:
Before you import the server certificate, you must ensure that Encryption Management Server trusts the certificates in the server certificate's issuing chain or certification path. Every server certificate has an issuing chain of certificates. Generally, the Certificate Authority will send you these certificates or direct you to a web site from where you can download them. There is always a root certificate in the issuing chain and at least one intermediate certificate. To ensure that Encryption Management server trusts them please do the following:
Next, you will assign the certificate from the previous steps to the network interface.
Note for Sans Alternative Names attribute
Symantec Encryption Management Server does not have the ability to create a SANs for additional hostnames for the PGP server. If you would like to have this functionality, please log a new support ticket with Symantec Encryption to be added to this feature request.
As a workaround, generate the CSR, and your Certificate Authority should allow you to add these attributes manually and then the certificate can be added to the PGP server.
If the TLS Certificate assigned under System, Network, is going to expire soon, the PGP server will typically provide a warning on the login screen to remind you.
If you do not renew the certificate, there could be issues with various aspects of the server. It is better to get the certificate renewed a few weeks prior to key expiration.
To be able to "renew" the certificate, you will go through the same process above to generate a new CSR request as shown in "Section 1" of this article.
If you run into any snags, or need an option to renew, please reach out to Symantec Encryption Support for further guidance.
178609 - How to create an SSL certificate to be used to secure Client Communication with the Symantec Endpoint Encryption Management Server
176302 - Renewing the Endpoint Encryption Management Server TLS certificate
154069 - Best Practices: Environmental Requirements for Symantec Encryption Management Server clustering (AKA PGP Server)
227219 - Making Symantec Endpoint Encryption Management Server Public Facing
227509 - Migrating from Symantec Encryption Desktop to Symantec Endpoint Encryption (Drive Encryption components)
257339 - How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server
180416 - How to Install an SSL Certificate for Symantec Encryption Management Server (PGP Server)
180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server
155218 - HOW TO: Generate a new self-signed Organization Certificate for PGP Server for SMIME Email Encryption