search cancel

Keys published using Encryption Management Server Verified Directory cannot be used

book

Article ID: 203454

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

The Encryption Management Server Verified Directory service allows users to publish their PGP keys and search for keys using the Verified Directory web portal.

Keys uploaded using the portal appear in the Encryption Management Server administration console under Consumers / Users / Verified Directory Users.

Verified Directory User keys can be used to encrypt email messages.

However, some Verified Directory keys cannot be used, even though the key appears under Consumers / Users / Verified Directory Users and you can find the key using the Verified Directory web portal:

  1. The key either cannot be found using the Verified Directory portal search function or, if it can be found, its key cannot be downloaded from the portal.
  2. Outbound email messages cannot be encrypted to the key.

These unusable keys uploaded using the Verified Directory portal almost always contain an S/MIME certificate. Although only PGP keys are supported by Verified Directory, some PGP keys include an S/MIME certificate. The following types of keys will include an S/MIME certificate:

  • Keys created by an Encryption Management Server that has an Organization Certificate.
  • Keys created as the result of importing an S/MIME certificate into Encryption Desktop.

Environment

Symantec Encryption Management Server 3.4.2 and above.

Cause

The key uploaded using the Verified Directory portal is not signed by the Verified Directory Key.

If you navigate to Reporting / Logs and select the Administration log, errors like this appear when the key has not been published correctly:

Failed to publish key "User Name <[email protected]>" (KeyID: 0xD5FBAC28) : cannot delete derived object while source object is present
Couldn't delete signature 0x12ca9e0: cannot delete derived object while source object is present

Even if a user can be found using the Verified Directory portal, if you see the error: The public key could not be found. It may have been removed when trying to download the key, it means that the key has not been signed by the Verified Directory Key and is unusable:

Resolution

There are several ways of working around this issue:

1. Import the key as an External User

If the user is classified as an External User, its key will be usable for encrypted email. Note that External Users will not be found when searching the Verified Directory portal. Please do the following:

  1. In the administration console, navigate to Consumers / Users / Verified Directory Users.
  2. Click on the user's email address to open the Verified Directory User Information page.
  3. Click on the Export Key button to download the key.
  4. Navigate to Consumers / Users / Verified Directory Users and delete the user.
  5. Navigate to Consumers / Users / External Users.
  6. Click on the Add External Users button to open the Import External Users page.
  7. Click on the Choose File button to browse to the key you exported in step 3 and click on the Import button.

 

2. Use Manual or Email vetting

The Verified Directory service can use a Vetting Method of Implicit, Manual or Email. Implicit vetting can be more likely to result in keys not being signed by the Verified Directory Key.

Therefore, if you are using Implicit vetting and some keys submitted using the Verified Directory portal cannot then be found in the portal or used for email encryption, it may be worth changing the vetting method to Manual or Email. Note that with Email vetting, a verification email will be sent to the email address associated with the key:

  1. From the administration console, navigate to Services / Verified Directory.
  2. Click on the Edit button.
  3. Change the Vetting Method from Implicit to Manual or Email and click the Save button.

 

3. Republish keys using manual vetting

If manual or email vetting resolves this issue but you have a key that was published using implicit vetting, it may be worth republishing the key using manual vetting:

  1. Navigate to Consumers / Users / Verified Directory Users.
  2. Click on the user's email address to open the Verified Directory User Information page.
  3. Click on the Export Key button to download the key.
  4. Navigate to Consumers / Users / Verified Directory Users and delete the user.
  5. Click on the Add Verified Directory Users button.
  6. Browse to the key file and change the Users should be verified option to Manually, then click the Import button.
  7. The key will be pending approval. Click on the + button to the right of the email address to approve the key.

 

3. Disable Require verified key with email encryption

By default, the mail rules that encrypt email messages have the Require verified key option enabled within the Action:

Disabling Require verified key will allow email messages to be encrypted to keys that have not been signed by the Verified Directory Key.

 

Broadcom is committed to product quality and satisfied customers. This issue is currently being considered by Broadcom to be addressed in a forthcoming version or Maintenance Pack of the product. Please be sure to refer back to this article periodically as any changes to the status of the issue will be reflected here.

Additional Information

Jira: EPG-21802

Attachments