PGP Universal Server Organization Key AND Organization Certificate

Article:TECH183692  |  Created: 2012-03-13  |  Updated: 2012-07-28  |  Article URL http://www.symantec.com/docs/TECH183692
Article Type
Technical Solution


Issue



Use, Working and relation between Organization Key and Organization Certificate.


Solution



 

The Organization Certificate is an X.509 certificate that can either be self-signed or requested from a Certificate Authority (CA). The Universal Server uses the Organization Certificate to generate X.509 certificates for internal users and to provide Secure Multipurpose Internet Mail Extensions functionality.
 
If users already have an X.509 certificate associated with their keys, the users do not receive a new certificate until the old certificate expires.
 
An Organization Certificate is required for S/MIME support. You can only have one Organization Certificate attached to your Organization Key.
Version 2.9.0 and above keep attached certificates with the users even if there is no Organization Certificate on the PGP Universal Server.
 
•          Organization Certificate has just one purpose:
 
–        To issue new X.509 certificates to users in the managed domain(s)
–        It is not required if your users do not need new X.509 certificates
 
•          Attributes of Organization Certificate :
 
–        It is part of the Organization Key (an X.509 user ID)
–        It is not generated automatically, but can be generated or imported later
–        If it exists or is added:
–        Users will have both a PGP key and X.509 certificate (for S/MIME encryption)
   If added after users’ PGP keys exist, a 12-hour cron  job will update keys.
 
•        Organization Key:
–        Replace the server-generated Organization Key with one that doesn’t expire
•        This should be done before any users send email through PGP Universal Server
–        Make sure you have a backup of your Organization Keypair (not just the public key)
 
•        Organization Certificate:
–        Do not generate a self-signed Organization Certificate and use it in production
–        Only Import an Organization Certificate if users need new X.509 certificates created
 
•        Organization Key and Organization Certificate:
–        Should have no email address, or an email address not shared by any users
•        Note: A self-signed Organization Certificate will have the same expiration date as the Organization Key,  unless the Organization Key is set never to expire. If the Organization Key will never expire, the Organization Certificate will expire 10 years from the date you generate it.
You must regenerate the Organization Certificate before it expires and distribute the new Certificate to anyone who uses your old Organization Certificate as a trusted root CA.
•      The PGP Universal Server will automatically generate certificates as well as keys for new internal users created after you import or generate an Organization Certificate. All internal users will receive a certificate added to their keys within 24 hours. However, the old Organization Certificate will remain on users keys until the certificate expires.
•      User's certificates can never expire later than the issuing Organization Certificate.
The Organization Certificate To support S/MIME encryption you can have your own non-PGP server generate user S/MIME certificates… Or you can use PGP Universal Server and an Organization Certificate to generate these user S/MIME certificates…
·      The Organization Certificate is not generated automatically during installation If an Organization Certificate is added: Users will have both a PGP key and X.509 certificate (for S/MIME encryption) If added after users’ PGP keys exist, a 12-hour cron job will update keys When is an Organization Certificate required? Only if you want the PGP Universal Server to create the X.509/SMIME certs
Do not generate a self-signed Organization Certificate and use it in production Only Import an Organization Certificate if users need new X.509 certificates created Organization Key, Organization Certificate and ADK: Should have no email address, or an email address not shared by any users ADK Create a company policy that dictates use cases for the ADK and then split it
The Organization Key Repeatedly verifies PGP keys in the managed domain(s) PGP keys of internal users are signed and re-signed with a two-week signature If a server-only user (SKM) is inactive for three months, their key will not be re-signed Trust the Organization Key and it will automatically handle key verification
·      If the Organization Key is replaced: Existing Internal User keys become unverified until they are signed by the new key Partners, etc. will have to re-sign or trust the new Organization key Existing backups will not decrypt with the new key Ignition Keys and Organization Certificate will be removed.
The Organization Certificate PGP Encryption is ‘enabled’ by using a PGP Keypair SMIME also uses a keypair, tied to a certificate In most infrastructures you can use only one form of encryption.
Create a self-signed Organization Certificate. Unfortunately, a self-signed Organization Certificate will not be universally recognized, so PGP Corporation recommends using a certificate from a recognized Certificate Authority (CA). Self-signed X.509 Organization Certificates are version 3.



Article URL http://www.symantec.com/docs/TECH183692


Terms of use for this information are found in Legal Notices