If Encryption Management Server is configured to use Directory Synchronization with Active Directory, by default it will import any X.509 certificates associated with Active Directory users that have an account in Encryption Management Server.
In Active Directory Users and Computers with Advanced Features enabled in the View menu, such certificates can be seen in the Published Certificates tab. Users may have more than one certificate:
If these certificates are issued by a trusted certificate chain, they will be imported into Encryption Management Server and appear as additional CKM (Client Key Mode) keys associated with the internal user's account. They will also appear in the user's Encryption Desktop keyring.
While this functionality may be helpful in some environments and generally has no impact on standard operations, it can result in a large number of additional, unwanted keys being imported into Encryption Management Server and users may be confused by seeing multiple keys in their keyring.
If the certificates in Active Directory are not issued by a certificate chain that Encryption Management Server trusts, the certificates will not be imported and warnings containing the following text will appear in the Reporting / Logs / Group log:
rejected - not signed by a trusted certificate
To avoid these warnings and allow such user certificates to be imported, navigate to Keys / Trusted Keys in the administration console, import the root and any intermediate certificates and trust them for verifying mail encryption keys.
Symantec Encryption Management Server and Symantec Encryption Desktop 10.5 and above.
Encryption Management Server can be configured not to import certificates from Active Directory but it cannot be done from the administration console.
Therefore, please raise a support case if you wish to make this change.
213642 - How often does Symantec Encryption Management Server regroup users in Active Directory?