This article explains how to create a Certificate Signing Request (CSR) for an SSL certificate and then import the certificate to the PGP Encryption Server (Symantec Encryption Management Server).

We will also discuss the process to "Renew" a certificate that will soon expire.

Services such as clustering and Web Email Protection use the TLS protocol and require a server TLS certificate which includes the host name for the IP address of the server on which the service is running. To issue a certificate, the Certificate Authority needs information found in a certificate request (CSR).

Because Web Email Protection is public facing, it is recommended to get a certificate from a Trusted Certificate Authority, such as Digicert to be able to assign the certs.

If the PGP Server is in the mailflow, it is also highly recommended to get a trusted certificate for TLS Email communications to be seamless.

There are four stages to this process:

1. Create the Certificate Signing Request (CSR) file and submit it to the CA (Certificate Authority).
2. Ensure that PGP Server trusts the certificates in the server certificate's issuing chain or certification path (Keys, Trusted Keys on the PGP Encryption Server).
3. Import the signed server certificate.
4. Assign the certificate to the correct network interface of PGP Encryption Server.

Section 1 of 6: Create and Submit a Certificate Signing Request (CSR)

1. Log into the admin console.
2. Navigate to System / Network and click on the Certificates button at the bottom of the page.
3. Click the Generate CSR button.
   
   NOTE:  You can also choose to generate a Self Signed Certificate if you do not intend to use an external or internal Certificate Authority.
    
4. Type in the Fully Qualified Domain Name (FQDN) for the server. For example, keys.example.com.
5. Do not enter an email address in the Contact Email field. TLS certificates do not generally include an email address.
6. Optionally, enter your organization's name in the Organization Name field.
7. Optionally, enter your organization's unit designation in the Organization Unit field.
8. Optionally, enter a city or locality, as appropriate, in the City/Locality field.
9. Optionally, enter a state or province, as appropriate, in the Province/State field.
10. Optionally, enter a two letter ISO 3166 country code in the Country field.
11. To generate a Certificate Signing Request (CSR), click the Generate CSR button.
12. The CSR window opens, showing the BEGIN CERTIFICATE REQUEST text.
13. Select all of the text, copy and paste it into a text editor and save the file. Then click the OK button.
14. The certificate appears on the Certificate page as Pending. If you click on the certificate name you will see the CSR text and can copy it again if required.
15. Submit the text file containing the CSR or its contents to your Certificate Authority (CA).
16. The CA will send a public server certificate back to you. The CA will also send you the root certificate and any intermediate certificates.

Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically. 
IMSFR-931

Section 2 of 6: Ensure that the Certificates in the Issuing Chain are Trusted

Before you import the server certificate, you must ensure that the PGP Encryption Management Server trusts the certificates in the server certificate's issuing chain or certification path. Every server certificate has an issuing chain of certificates. Generally, the Certificate Authority will send you these certificates or direct you to a web site from where you can download them. There is always a root certificate in the issuing chain and at least one intermediate certificate.

Important Note: Starting with PGP Encryption Server 10.5.1 MP2 and above, when the new TLS Certificate is imported into the System/Network/Certificates, and then subsequently assigned to the Network Interface, the chain should be built automatically. 
IMSFR-931

If you are not on 10.5.1 MP2 or above, to ensure that the PGP Encryption Server trusts them please do the following:

1. From the admin console, click on Keys / Trusted Keys.
2. Search for the name of the certificate to check if it is already present. If you find a certificate that has a similar name to the one you are looking for, check whether the expiry date matches and, to be completely sure it is the same certificate, check the fingerprint / thumbprint.
3. If the certificate is not already present, click on the Add Trusted Key button.
4. Click on the Choose File button, browse to the location of the **Root Certificate** and click Open. Note that the certificate must be in Base-64 encoded format, not DER encoded binary format.
5. At a minimum, click to enable the option Trust key for verifying SSL/TLS certificates.
   TIP: Check all the boxes so it's easy to find the cert you just imported as it will show "FULL".
6. If Encryption Management Server processes email, enable the option Trust key for verifying mail encryption keys.
7. Click the Save button.
8. Repeat the above steps to import the root certificate and all applicable **Intermediate Certificates** (Some CAs may have one intermediate, some may have multiple, check with your CA to ensure you have all of them present.  Double-click the Root Certificate you have and under Certificate Path, check the chain).
   
   IMPORTANT TIP: Check the thumbprint/fingerprint of the Root Certificate Authority and Intermediate Certificate Authority and make sure they are listed in the Trusted keys.  This will make it possible for the certificate chain file to be created once you assign the certificate to the interface.
   
   Also, if you have generated your certificate from another server, you must export the entire keypair (Public and Private) to the SEE Management Server.  

Section 3 of 6: Import the Server Certificate

1. Open the server certificate that the Certificate Authority sent you in a text editor and copy all the text to the clipboard.
2. From the administration console, click on System / Network and then click the Certificates button.
3. Click the + button in the Import column of the pending certificate you are adding. The Add Certificate to Key dialog box appears.
4. Paste the certificate text from the clipboard into the Certificate Block box.
5. Click Save to import the new certificate.

Next, you will assign the certificate from the previous steps to the network interface.

1. Click on System / Network.
2. Select the correct Interface from the interface drop down list.
3. Select the new certificate from the Assigned Certificate drop down list.
4. Click Save.

Note for Sans Alternative Names attribute
The PGP Encryption Server does not have the ability to create a SANs for additional hostnames for the PGP server.  If you would like to have this functionality, please log a new support ticket with Symantec Encryption to be added to this feature request.

As a workaround, generate the CSR, and your Certificate Authority should allow you to add these attributes manually and then the certificate can be added to the PGP server.

Section 4 of 6: Certificate Renewal (for certs that will soon expire)

If the TLS Certificate assigned under System, Network, is going to expire soon, the PGP server will typically provide a warning on the login screen to remind you.
If you do not renew the certificate, there could be issues with various aspects of the server. It is better to get the certificate renewed a few weeks prior to key expiration.

To be able to "renew" the certificate, you will go through the same process above to generate a new CSR request as shown in "Section 1" of this article. 

Section 5 of 6: Certificate Chain is not built after assigning to Network Interface

If you have created a certificate for the PGP Encryption Server and uploaded it to the server, and the chain did not build, first make sure the Root and Intermediate Certs are included in Trusted Keys on the PGP Server.

If they are included in Trusted Keys, and the chain file is still not built, update to PGP Server 10.5.1 MP2, then on System/Network, click the "Save" button to save the information.
If this does not work, please reach out to Symantec Encryption Support for further guidance.
EPG-26983

If you have scanned your PGP Server and are seeing any certificates that do not look like the one you just assigned to the interface, such as "root@localhost", reach out to  Symantec Encryption Support for further guidance. 

Section 6 of 6: Creating a CSR with Subject Alternative Name

Starting with PGP Encryption Server 11, you can now generate a CSR with a Subject Alternative Name.

For further guidance, reach out to Symantec Encryption Support.