ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Signature verification fails for S/MIME signed messages

book

Article ID: 199256

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology Desktop Email Encryption Desktop Email Encryption, Powered by PGP Technology Encryption Desktop Powered by PGP Technology

Issue/Introduction

When a third party sends an S/MIME signed or S/MIME signed and encrypted message to an Encryption Management Server or Encryption Desktop user, the smart annotation around the body of the message is red and shows PGP - S/MIME Signed by an unverified key in the top border of the annotation:

It shows Issuer: issuer name - Unverified in the bottom border of the annotation, where issuer name is the Organization (O) attribute of the issuing certificate:

Cause

The issuing certificate chain is not trusted by Encryption Management Server.

Environment

Encryption Management Server 3.4.2 and above.

Resolution

Add the certificates in the sender's issuing certificate chain to Encryption Management Server.

You can find and save the certificates in the sender's certificate chain by double clicking on the sender's personal certificate and navigating to the Certification Path tab:

Do the following to save each certificate in the chain:

  1. Select the certificate and click on the View Certificate button.
  2. Click on the Details tab.
  3. Click on the Copy to File button to start the Certificate Export Wizard.
  4. Ensure that you save the certificate as a Base-64 encoded X.509 *.cer file.

Note that you do not need to save the sender's personal certificate, just the issuing certificates.

To add the issuing certificates to Encryption Management Server, do the following after logging into the Encryption Management Server administration console:

  1. Navigate to Keys / Trusted Keys.
  2. Click on the Add Trusted Key button.
  3. Click on the Choose File button.
  4. Browse to the root certificate of the sender's certificate chain and click on the Open button to import it.
  5. Enable the option Trust key for verifying mail encryption keys.
  6. Click the Save button.
  7. Repeat the above steps for all intermediate certificates.

Encryption Management Server and Encryption Desktop will now be able to verify the sender's certificate. The smart annotation will now be blue and show PGP - S/MIME Signed plus the date and time in the top border of the annotation:

It shows Issuer: issuer name in the bottom border of the annotation, where issuer name is the Organization (O) attribute of the issuing certificate:

To avoid adding certificates to Encryption Management Server, another option is to turn off annotations. To do this, login to the Encryption Management Server administration console and do the following:

  1. Navigate to Mail / Mail Policy.
  2. Click on the Inbound policy chain.
  3. Click on the Decrypt Message (SMTP) rule.
  4. Click on the Edit Actions button.
  5. In the Annotation Setting drop-down list, select Don't Annotate.
  6. Click the Save button.

Note that by doing this, internal users will not be aware that the sender has signed and/or encrypted the message.

Attachments