search cancel

Encryption Management Server does not issue S/MIME certificates to existing GKM key mode users

book

Article ID: 187899

calendar_today

Updated On:

Products

Encryption Management Server Powered by PGP Technology Encryption Desktop Powered by PGP Technology

Issue/Introduction

If you add an Organization Certificate to Encryption Management Server, it does not issue S/MIME certificates to existing internal users with GKM (Guarded Key Mode) keys. However, it does issue S/MIME certificates to existing internal users with SKM (Server Key Mode) keys.

Cause

With GKM key mode, Encryption Management Server only stores a passphrase protected copy of the user's key. Only the end user knows the key's passphrase and therefore Encryption Management Server cannot modify the key. With SKM key mode, Encryption Management Server manages the key.

Environment

Release : 3.3.2 MP13 and above.

Component : Encryption Management Server.

Resolution

Please do the following to ensure that Encryption Management Server issues an S/MIME certificate to an existing GKM key mode user:
  1. Create an Organization Certificate on Encryption Management Server.
  2. Delete the GKM mode user from Encryption Management Server.
  3. Re-enroll the user. To re-enroll, quit or kill pgptray.exe then delete or rename the folder "%appdata%\PGP Corporation". Do not delete or rename the folder Documents\PGP.
  4. Start pgptray and the user will be prompted to enroll. The user needs to respond that they have an existing key and they will be prompted for the key's passphrase.
  5. Encryption Management Server will create a user account for the user and Encryption Desktop will upload their key.
  6. Encryption Management Server will create an S/MIME certificate for the user.