search cancel

How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server


Article ID: 257339


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


The Symantec Encryption Management Server (PGP Server) has the ability to generate SMIME certificates for Email Encryption using the SMIME encoding method.  In order to do this, you can use a Self-Signed Certificate (not generally recommended) or you can use an Internal CA (Better than Self-Signed, but not universally trusted by external domains) or a Trusted Certificate Authority (Not typically possible to achieve as the CA needs to provide you "Certificate Signing" permissions for the certificate as a "Subordinate" Certificate Authority. 

This means the PGP Server would sign on behalf of the Certificate Authority itself. This article will cover how to go through these steps for an Internal Certificate Authority.


Step 1: Login to the PGP Server and click on Keys, then Organization keys.

Step 2: You are going to click the + sign next to Organization Certificate.  If you hover over it, you'll see "Generate Organization Certificate":


Step 3: Once you click the + sign, you'll fill in all the appropriate details as seen in this example:


Step 4: Next, click on Generate CSR.  This will then provide you a Certificate Request Block:


Step 5: In this example, we are using a Windows Certificate Authority, so we will use the Active Directory Certificate Services for the domain.

Click on "Request a certificate":


Step 6: Next, choose "advanced certificate request".


Step 7: Paste the Certificate Request block you got from the PGP server into the "Saved Request" field.  This will be a Base64 request for the next steps.

Step 8: Next, click Submit and you will have the option to download the Base64 encoded version of the signed request:


You should have a new file downloaded similar to this called, "certnew.cer":


Step 9: Now open this certnew.cer file with a text editor:

You'll have a "BEGIN CERTIFICATE" cipher block, which is the signed request:

Step 10: Copy this text and go back to the PGP Server under Organization Keys.

Now we will click the "Import Organization Certificate" arrow (Hover over to see this is the correct option):



Step 11: Paste in this signed block:

Now you'll see a new Organization Certificate is added.


Step 12: Now you can click on the Organization Certificate and export the keypair for a backup:

TIP: You can export the Organization Key Pair as well for good measure and this is highly recommended.  Then keep these two certs in a safe place.


Now all the new user's SMIME certs will be signed with this signed Organization Certificate.

Step 13: As this is a Subordinate Certificate (Intermediate Cert), it's a good idea to import the Root certificate for the Certificate Authority into the Trusted Keys on the PGP server.
Check all the boxes to do so.  For more information on Trusted Keys on the PGP Server, see the following article:

180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server

Step 14:
Export the **Public** certificate that you've just completed from the PGP Server:

It is critically important to *not* send the keypair so take extra care at this step.  Once exported, you should have a public key with the keyid.pem:

TIP: Rename this to something like "DomainSigningCertificateSMIME-public.pem" so you can file away for later use and is easy to differentiate between your other certs.
You can import these certs into your certificate store to view them and see if the private key is included or not.


Step 15: You can import this public certificate into your own certificate store for review (certmgr.msc):


For easy access, put this in your "Personal" store:

Step 16: Once imported, you can double-click on the cert and see the properties.  Go to the "Certificate Path" tab and you can see the full chain (The Root Certificate and the Subordinate/Intermediate Certificate):

It's a good idea to inspect the cert, thumbprint, key usage, etc. so you are very familiar with this new certificate.

Provide this cert to your external recipient and have them trust your Root and Intermediate (Subordinate) certs and any user's certs will automatically be trusted. 

Both certs are included in this certificate for convenience.

For further guidance, please reach out to Symantec Encryption Support






Additional Information

257339 - How to Create and Assign a Subordinate/Intermediate Certificate for SMIME/Certificate Signing with PGP Server

155218 - HOW TO: Generate a new self-signed Organization Certificate for PGP Server for SMIME Email Encryption 

180416 - How to Install an SSL Certificate for Symantec Encryption Management Server (PGP Server)

176302 - Renewing the Endpoint Encryption Management Server TLS certificate

180143 - HOW TO: Work with Trusted Keys and Certificates on Symantec Encryption Management Server