HOW TO: Configure PGP Universal Server Administrative Keys and Certificates

Article:HOWTO41980  |  Created: 2006-09-18  |  Updated: 2011-03-11  |  Article URL http://www.symantec.com/docs/HOWTO41980
Article Type
How To




This is a tutorial article designed to assist administrators in working with the keys and certificates which PGP Universal Server uses and creates.


 

HOW TO: Configure PGP Universal Server Administrative Keys and Certificates

Before completing any steps outlined in this document, make sure you have a good understanding of the keys and certificates created and used by PGP Universal Server.

 

Organization Keys

Your Organization Key is used to sign all user keys the PGP Universal Server creates and encrypts server backups. The Organization Key is what was referred to as the Corporate key in the old PGP Keyserver environment.

 

Warning: You must make a backup of your Organization Key, in case of a problem with the server. That way, you can restore your server from a backup using the backup Organization Key.


Each PGP Universal Server is pre-configured with a unique Organization Key generated by the Setup Assistant. If you would like to use different settings for this key, you may regenerate a key with the settings you prefer. This should only be done prior to deployment of the server or creation of user keys by the server.

The Organization Key will automatically renew itself one day before its expiration date. It will renew with all the same settings. If you have multiple PGP Universal Servers in a cluster, the Organization Keys on the Secondary servers in the cluster will be synchronized with the Primary server in the cluster.

An Organization Keys identification is based on the name of the managed domain for which the key was created. Organization Keys by convention have one ID per managed domain so that they can be easily found via a directory lookup.


Inspecting the Organization Key:

 

  1. Login to the Administrative interface and go to Organization>Organization Keys.
     
  2. Click the name of the Organization Key. The Organization Key Info dialog appears.
     
  3. Inspect the properties of the Organization Key.
     
  4. To export either just the public key portion of the Organization Key or the entire keypair, click the Export button and save the file to the desired location.

    When you export the Organization Key you also get the Organization Certificate. You can use PGP Desktop to extract the Organization Certificate from the Organization Key.

     
  5. Click the OK button.

 

Regenerating the Organization Key:

 

Warning: Changing the Organization Key makes all previous backups undecryptable and all validity signatures on the keys of internal users are unverifiable until they are automatically renewed. Only change the Organization Key if you fully understand the consequences of this action.

Changing the Organization Key deletes Ignition Keys. If you have hard or soft token Ignition Keys configured, regenerating the Organization Key will delete them.


 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the icon in the Action column of the Organization Key whose properties you want to change.
     
  3. Click OK on the window that appears warning that regeneration may cause problems.
     
  4. Make the desired changes to the properties of the Organization Key.
     
  5. Click the Generate button.
     

Importing an Organization Key:

You also have the option of importing an existing PKCS #12 key and using that as your Organization Key.

 

Caution: Changing the Organization Key deletes Ignition Keys. If you have hard or soft token Ignition Keys configured, regenerating the Organization Key deletes them. Deleting the Ignition Key stops PGP Universal Web Messenger from being stored encrypted.


 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the icon in the Import column of the Organization Key row.
     
  3. Click OK on the window that appears warning about deleting your Organization Key.
     
  4. If you want to import a key that has been saved as a file, locate the file of the key you want to import using the Browse button.

    Enter the passphrase for the key, if required.

     
  5. If you want to import a key by cutting and pasting, copy the key you want to be your Organization Key to the Clipboard and paste it into the Key Block box.
     
  6. Click the Import button.
    The Import Organization Key dialog disappears. The Organization Key you imported appears in the Organization Key row.
     

Organization Certificates

An Organization Certificate is required for S/MIME support. You can only have one Organization Certificate attached to your Organization Key. You will not be able to restore from a backup with more than one Organization Certificate associated with your Organization Key.

The PGP Universal Server will automatically generate certificates as well as keys for new internal users created after you import or generate an Organization Certificate. All internal users will receive a certificate added to their keys within 24 hours. However, the old Organization Certificate will remain on users keys until the certificate expires.

To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card. A self-signed Organization Certificate will have the same expiration date as the Organization Key, unless the Organization Key is set never to expire. If the Organization Key will never expire, the Organization Certificate will expire 10 years from the date you generate it. You must regenerate the Organization Certificate before it expires and distribute the new Certificate to anyone who uses your old Organization Certificate as a trusted root CA.

Inspecting the Organization Certificate:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the name of the Organization Certificate.
     
  3. Inspect the settings of the Organization Certificate.
     
  4. To export either just the public key portion of the Organization Key or the entire keypair, click the Export button and save the file to the desired location.
     
  5. Click OK.
     

Generating the Organization Certificate:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the icon in the Action column of the Organization Certificate row.
     
  3. Enter in the information for each field.
     
  4. If you want to generate a self-signed certificate, click Generate Self-signed. PGP Universal Server will generate a certificate. To generate a Certificate Request instead, go on to the next step.
     
  5. Click the Generate CSR button.
     
  6. Copy the contents of the CSR dialog to a file, then click OK.
     
  7. Paste the CSR into the appropriate field on your third-party CA interface.
    The CA will send the certificate back to you when it has approved it.
     
  8. When you get the certificate from the CA, use the Import feature to import it as your Organization Certificate.

 

Importing the Organization Certificate:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the icon in the Import column of the Organization Certificate row.
     
  3. Copy the certificate you want to be your Organization Certificate.
     
  4. Paste the text into the Certificate Block box.
     
  5. Click the Save button. The Organization Certificate you imported appears in the Organization Certificate row.
     

Additional Decryption Keys (ADK)

An Additional Decryption Key (ADK) is a way to retrieve an email message if the recipient is unable or unwilling to do so and if required by regulation or security policy; every message sent by an internal user is also encrypted to the ADK. Messages encrypted to the ADK can be opened by the recipient and/or by the holder(s) of the ADK.

If you have an Additional Decryption Key uploaded, all outbound email will be encrypted to it when mail policy is applied. This setting appears in the Send (encrypted/signed) action and the setting cannot be disabled. Refer to Chapter 14, Setting Mail Policy for more information.

You can create an ADK with PGP Desktop, and then add it to your PGP Universal Server and use it. You can only have one ADK.

 

Note: S/MIME messages are not encrypted to the ADK.


If you use an ADK, PGP Universal adds the ADK to all new keys that it generates and all outbound email messages are automatically encrypted to it.

If you are going to use an ADK on your PGP Universal Server, you should import it prior to generating any user keys. You should also try to avoid changing to a different ADK later on, because doing so will result in some keys being associated with the old ADK and some with the new ADK. If you add or change an ADK, it will only be associated with the keys of new users. Existing users will not get that ADK added to their key.

Only PGP keys can be used as ADKs.

 

 

Inspecting an ADK:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the name of the ADK.
     
  3. Inspect the properties of the ADK.
     
  4. To export the ADK, click Export and save the file to the desired location.
     
  5. Click the OK button.
     

Importing an ADK:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Copy the key of the ADK you are adding to the Clipboard using PGP Desktop.
     
  3. Click the Import icon in the Action column of the Additional Decryption Key row.
     
  4. Paste the key of the ADK into the Import Key Block box.
     
  5. Click the Import button. The ADK you added appears in the Additional Decryption Key row.
     

Deleting an ADK:

 

Note: All keys generated while the ADK was present will continue to reference the ADK even after you delete the ADK. The change will apply only to keys that are generated after the ADK is deleted.


 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the delete icon in the Action column of the ADK.
     
  3. Click the OK button.

    The ADK is deleted.

     

Verified Directory Keys (VDK)

The Verified Directory Key is the signing key for PGP Verified Directory users outside your managed domain. It must consist of both private and public keys. Once you choose the setting to allow external users to submit their keys through the PGP Verified Directory, you must upload a Verified Directory Key. External users will not be able to submit their keys to PGP Verified Directory until you have added the Verified Directory Key.

If you have multiple PGP Universal Servers in a cluster, the Verified Directory Keys on the Secondary servers in the cluster will be synchronized with the Primary server in the cluster.

Inspecting the VDK:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
  2. Click the name of the Verified Directory Key.
  3. Inspect the properties of the Verified Directory Key. 
     
  4. To export the Verified Directory Key, click Export and save the file to the desired location.
     
  5. Click the OK button.

Importing an VDK:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Copy the key of the Verified Directory Key you are adding to the Clipboard using PGP Desktop.
     
  3. Click the Add icon in the Action column of the Verified Directory Key row.
    The Add Verified Directory Key dialog appears.
  4. Paste the key of the Verified Directory Key into the Import Key Block box.
     
  5. Enter in the private key Passphrase.
     
  6. Click the Import button. The Verified Directory Key you added appears in the Verified Directory Key row.
     

Deleting the VDK:

 

  1. Login to the Administrative interface and go to Organization then Organization Keys.
     
  2. Click the delete icon in the Action column of the Verified Directory Key.
     
  3. Click the OK button.
     

Certificate for SSL/TLS Connections

To see the Certificates card, navigate to the Network Settings card (System/Network in the administrative interface) and click the Certificates button in the lower left corner of the screen.

The Certificates card lets you view existing certificates, import existing certificates, and generate self-signed certificates and new certificate requests.

The Setup Assistant automatically creates a self-signed certificate for use with SSL/TLS traffic. Because this certificate is self signed, it may not be trusted by email or Web browser clients. Specific behavior in response to this self-signed certificate depends on the specific email or Web browser client and its security settings.

 

Note: PGP Corporation recommends you obtain a valid SSL/TLS certificate for each of your servers from a public Certificate Authority. Not doing so may lead to incompatibilities with some email clients and Web browsers..


You can also use pre-existing keys and certificates for SSL/TLS traffic (you must import them first so that they appear on the Certificate card, then you can assign them using the Certificate Assignment card).

Inspecting the SSL/TLS Certificate:

 

  1. Login to the Administrative interface and go to System, Network, then click on Certificates.
     
  2. Click the name of the certificate whose settings you want to inspect.
  3. Inspect the information about the certificate you selected. You may need to click more to see all the certificate data, which will appear in a pop-up dialog.
     
  4. To export the Verified Directory Key, click Export and save the file to the desired location.
     
  5. Click OK.

Importing an SSL/TLS Certificate:

 

  1. Login to the Administrative interface and go to System, Network, then click on Certificates.
  2. Click Add Certificate on the Certificates card.
     
  3. Click Import.
     
  4. Select Import Certificate File and use the Choose File button to locate the file of the PKCS #12 certificate.

    If you have a native Apache SSL/TLS certificate, you can paste both the public and private portions of the certificate into the Import Certificate Block box in any order.
     
  5. If the certificate you are importing has a passphrase, enter it in the Passphrase field.
     
  6. Click Import. The certificate added appears on the Certificate card. It can now be assigned to an interface.

Legacy ID



640


Article URL http://www.symantec.com/docs/HOWTO41980


Terms of use for this information are found in Legal Notices