An Organization Certificate is required for S/MIME support. You can only have one Organization Certificate attached to your Organization Key. You will not be able to restore from a backup with more than one Organization Certificate associated with your Organization Key.

The Organization Key will automatically renew itself one day before its expiration date. However, the Organization Certificate must be regenerated manually.

Note: A self-signed Organization Certificate will have the same expiration date as the Organization Key, unless the Organization Key is set never to expire. If the Organization Key will never expire, the Organization Certificate will expire 10 years from the date you generate it. You must regenerate the Organization Certificate before it expires and distribute the new Certificate to anyone who uses your old Organization Certificate as a trusted root CA.

The PGP Universal Server will automatically generate certificates as well as keys for new internal users created after you import or generate an Organization Certificate. All internal users will receive a certificate added to their keys within 24 hours. However, the old Organization Certificate will remain on users’ keys until the certificate expires.

When a Organization Certificate expires, you have several options to resolve the issue:

• Create a self-signed Organization Certificate. Unfortunately, a self-signed Organization Certificate will not be universally recognized, so PGP Corporation recommends using a certificate from a recognized Certificate Authority (CA). Self-signed X.509 Organization Certificates are version 3.
  
• Create a Certificate Signing Request for a certificate authorized by an existing CA. When you receive the certificate back from the CA as a file, you will need to import that file.
  
• Import an existing certificate to use as your Organization Certificate. Imported X.509 certificates must be version 3.
  

To enable S/MIME support, the certificate of the issuing Root CA, and all other certificates in the chain between the Root CA and the Organization Certificate, are on the list of trusted keys and certificates on the Trusted Keys and Certificates card.

To generate a Self-signed certificate or a Certificate Signing Request:

1. Login to the PGP Universal Server.
2. Click the Organization card.
3. Select the + icon in the action column of the Organization Certificate row.
4. Enter your information for the certificate (Common Name, Contact Email, etc.).
5. Click Generate Self-signed for a self-signed certificate or Generate CSR to create Certificate Signing Request.

To create a Certificate Signing Request (CSR): Copy the contents of the CSR dialog to a file, then click OK. Paste the CSR into the appropriate field on your third-party CA interface. The CA will send the certificate back to you when it has approved it. When you receive the certificate from the CA, use the Import feature to import it as your Organization Certificate.

To import a certificate:

1. Login to the PGP Universal Server.
2. Click the Organization card.
3. Click the icon in the Import column of the Organization Certificate row.
4. Copy the certificate you want to be your Organization Certificate.
5. Paste the text into the Certificate Block box.
6. Click Save.

The Organization Certificate you imported appears in the Organization Certificate row.