When a third party sends an S/MIME signed or S/MIME signed and encrypted message to an Encryption Management Server or Encryption Desktop user, the smart annotation around the body of the message is red and shows PGP - S/MIME Signed by an unverified key in the top border of the annotation:
It shows Issuer: issuer name - Unverified in the bottom border of the annotation, where issuer name is the Organization (O) attribute of the issuing certificate:
The issuing certificate chain is not trusted by Encryption Management Server.
Encryption Management Server 3.4.2 and above.
Add the certificates in the sender's issuing certificate chain to Encryption Management Server.
You can find and save the certificates in the sender's certificate chain by double clicking on the sender's personal certificate and navigating to the Certification Path tab:
Do the following to save each certificate in the chain:
Note that you do not need to save the sender's personal certificate, just the issuing certificates.
To add the issuing certificates to Encryption Management Server, do the following after logging into the Encryption Management Server administration console:
Encryption Management Server and Encryption Desktop will now be able to verify the sender's certificate. The smart annotation will now be blue and show PGP - S/MIME Signed plus the date and time in the top border of the annotation:
It shows Issuer: issuer name in the bottom border of the annotation, where issuer name is the Organization (O) attribute of the issuing certificate:
To avoid adding certificates to Encryption Management Server, another option is to turn off annotations. To do this, login to the Encryption Management Server administration console and do the following:
Note that by doing this, internal users will not be aware that the sender has signed and/or encrypted the message.