HOW TO: Work with Trusted Keys and Certificates on PGP Universal Server

Article:HOWTO41982  |  Created: 2006-09-22  |  Updated: 2011-03-11  |  Article URL http://www.symantec.com/docs/HOWTO41982
Article Type
How To




This article provides step-by-step instructions for adding, inspecting, and changing trusted keys and certificates in PGP Universal 2.5 and above. 

 

HOW TO: Work with Trusted Keys and Certificates on PGP Universal Server

Trusted Keys and Certificates can be found under the Organization/Trusted Keys tabs. They are keys and certificates that you trust but are not part of the SMSA created by PGP Universal.

In those cases where your PGP Universal Server cannot find a public key for a particular user on any of the keyservers you have defined as trusted, it will also search the default directories. If it finds a key in one of the default directories, it will trust (and therefore be able to use) that key only if it has been signed by one of the keys in the trusted keys list.

PGP Universal can use S/MIME only if it has the root certificates from the CAs available to verify the client certificates. These CAs can be in your company or they can be an outside-managed CA, such as VeriSign.

To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card. PGP Universal Server comes with information on many public CAs already installed on the Trusted Keys and Certificates card. Only in-house CAs or new public CAs that issue user certificates need to be manually imported. You can inspect, export (save on your machine), or delete the root certificates at any time.

Trusted Certificates can be in any of the following formats: .cer, .crt, .pem and .p7b.

 

PGP Universal operates as a subsidiary certificate authority (CA) to CAs from the following vendors
  • Entrust Authority Security Manager 
  • RSA Security KCA 6.5 
  • Baltimore UniCERT 5.0 
  • Microsoft Certificate Services

 

Inspecting and Changing Trusted Key Properties

  1. In the Administration Console go to the Organization>Trusted Keys tab.

     
  2. Click on the User ID (the name) of the trusted key or certificate that you want to inspect.

    The Trusted Key Info dialog appears.

     
  3. Inspect the properties of the trusted key or certificate you selected, you may need to click more to see all the certificate data.

     
  4. To export the trusted key, click Export and save the file to a desired location

     
  5. To change the properties of the trusted key or certificate, check or uncheck any of the following:

    Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.

    Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.

    Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.

     
  6. Click Save.

 

Adding a Trusted Key or Certificate

  1. Under the Organization/Trusted Keys tabs, click Add Trusted Key near the bottom of the screen.

    The Add Trusted Key dialog appears.

     
  2. To import a trusted key saved in a file, click Browse and choose the file that contains the trusted key or certificate you want to add.

     
  3. To import a key in key-block format, paste the key block of the trusted key or certificate into the "Import Key Block" box (you will need to copy the text of the trusted key or certificate first in order to paste it).

     
  4. You can trust the keys and certificates for different things:

    Check Trust key for verifying mail encryption keys when you want to trust the key or certificate from being added for the purpose of verifying signatures on keys from keyservers listed in the default domain.

    Check Trust key for verifying SSL/TLS certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying SSL/TLS certificates presented from remote SMTP/POP/IMAP mail servers.

    Check Trust key for verifying keyserver client certificates when you want the X.509 certificate being added to be trusted for the purpose of verifying keyserver client authentication certificates.

     
  5. Click Save
     

Legacy ID



642


Article URL http://www.symantec.com/docs/HOWTO41982


Terms of use for this information are found in Legal Notices