Enrollment with Certificate and Smartcards, PIV Cards, CACs with Symantec Encryption Desktop (PGP Desktop)
search cancel

Enrollment with Certificate and Smartcards, PIV Cards, CACs with Symantec Encryption Desktop (PGP Desktop)

book

Article ID: 181070

calendar_today

Updated On:

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK

Issue/Introduction

Symantec Encryption Desktop (PGP Desktop) enrolls to a Symantec Encryption Management Server (PGP Server) so that the PGP Desktop client is managed by the server. This allows for control over policies and configuration parameters that may need to be locked down and to facilitate in central key/user management. 

You can enroll a PGP Desktop to the PGP Server with user credentials, or you can enroll with a certificate.  This article will go over how to enroll with a certificate, and even using smartcards/tokens where the certificates reside on the token itself.

Certificate enrollment is a method to enroll a user with the PGP Server using a public or private keypair. It requires an X.509 certificate on a smartcard. Certificate enrollment was designed to support environments where customers are using smartcards or certificates to authenticate with Windows.

Resolution

PGP Server Prerequisites for Certificate Enrollment:


*Directory Synchronization is required for Certificate Enrollment to be enabled (See Consumers > Directory Synchronization in the SEMS console for configuration).


*Active Directory (AD) should be configured to generate certificate on behalf of a smartcard user. 

*The Certificates are configured for the user and already validated to be associated to the AD Users who will be enrolling.

*Client Key Mode (CKM) is the only key mode that will be used for certificate enrollment.  The Certificate Enrollment process will ignore policy settings and will enforce CKM. The user will not see a "Key mode selection" screen as is normally seen during a regular enrollment if multiple keymodes are available.

*Certificate Enrollment must be enabled on the PGP server under Consumers > Directory Synchronization:

Note: If you want to allow other types of enrollment, you can also select "Allow", but "Deny" will block Certificate Enrollment.

 

*Ensure the Root and/or Intermediate Certificates have all been uploaded to the PGP Server's Trusted Keys and fully trusted.
Under Keys > Trusted Keys, click "Add Trusted Key..." and then browse to the certificate.

Check all the boxes to ensure the certificate will be fully trusted:

Tip: It is a good idea to make note of the fingerprints of the Root or Intermediate Certificates so you can validate they are in the list:

 

 

User Experience:

The first screen the user will see during this Certificate Enrollment is the following:

*The user who is enrolling must type the smartcard PIN (Personal Identification Number) in this dialog box to enroll.

*After PIN authentication is successful, the user will see the enrollment flow similar to the regular LDAP enrollment screens, depending on the policy.

*The user will not see a screen that prompts to select a key source either as the key that has been imported from a smartcard is the key with which the user will be enrolled.

*The user will no longer see a screen with a list of local keys and will not need to select the only key that is there. This screen usually follows the "key source selection," which is removed as described in the previous item.

*If silent enrollment is selected by policy, then the only interface that user will see is a dialog box prompting for the smartcard PIN.

*In the Certificate tab in the Keys option, select in the dropdown after "Import X.509 certificates as:"  "PGP Bundle keys" and dropdown select "Attempt" storage of keys on supported smartcards.

*If you are using CAPI for Enrollment, you will also need to set this value to something other than "Ignore":

 

PGP Server Prerequisites for Certificate Enrollment:

*The smartcard middleware is installed on the client machines.  This also means the tokens/smartcards/PIV cards are fully functional on the systems.

*The smartcard is accessible to PGP via Cryptographic Application Programming Interface (CAPI) (supported by the PGP Software Development Kit (SDK)).

*If expected to work with PGP Drive Encryption, the smartcard must be supported at pre-boot.

 

 

Troubleshooting:

 

Scenario 1: User is prompted for the PIN, which is accepted, but the enrollment still fails.

Solution:
*Check the client logs on the PGP server and see if this provides some clues on what to do. 

*Ensure Directory Synchronization is working.  It's a good idea to test regular LDAP Enrollment to see if that is working.

*Make sure the PGP Server is configured for Certificate Enrollment as mentioned in the Server Prerequisites above.

 

Scenario 2: Enrollment works, but Drive Encryption does not start automatically

Solution: For more information on this topic, see the following article for ideas on what may be going on:

156452 - Using Personal Identity Verification Cards, Smartcards and Tokens with PGP Desktop (PIV Cards)

Also, make sure smartcards are selected in the policy:

Additional Information

156452 - Using Personal Identity Verification Cards, Smartcards and Tokens with PGP Desktop (PIV Cards)