search cancel

S/MIME messages can be encrypted but not signed without an Organization Certificate

book

Article ID: 238613

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

If Encryption Management Server does not have an Organization Certificate, it can encrypt outbound email messages using S/MIME but not sign them.

Cause

Messages can only be signed with the sender's private key. If Encryption Management Server does not have an Organization Certificate, no internal users will be issued with an S/MIME certificate. Therefore outbound messages cannot be S/MIME signed.

Messages are encrypted with the recipient's public key. If the external recipient has an S/MIME certificate then Encryption Management Server can use that certificate to encrypt the message.

In addition, because the internal users do not have S/MIME certificates, they will not be able to receive S/MIME encrypted email.

In practice, therefore, only outbound encrypted S/MIME email is supported.

Environment

Symantec Encryption Management Server 10.5 or above.

Resolution

Add an Organization Certificate to Encryption Management Server. This will cause all internal users to be issued with an S/MIME certificate automatically. Note that there is no way of issuing S/MIME certificates only to specific internal users.

Alternatively, do not add an Organization Certificate to Encryption Management Server but instead purchase an S/MIME certificate for specific users from a well known public CA (Certificate Authority) and import the certificates (*.pfx or *.p12 files) into Encryption Management Server. Encryption Management Server will then be able to generate S/MIME signed and/or encrypted email on behalf of those specific users. Encryption Management Server will also be able to decrypt inbound S/MIME encrypted email on behalf of those users.