This article is designed to help administrators to understand and use Wrapper and Bundle keys in PGP Desktop 9.5.x and PGP Universal Server 2.5/2.6.
HOW TO: Use Wrapper and Bundle Keys in PGP Desktop 9.5/9.6 and PGP Universal Server 2.5/2.6.
Bundle and Wrapper Keys are options for importing X.509 certificates from Smartcards into your PGP Environment. Administrators control the options for these key types through key settings. Wrapper and Bundle Keys will each be explained and then instructions on how to create/import them with a Smartcard will be given.
Bundle Keys are new with PGP Desktop 9.5/9.6 and PGP Universal Server 2.5/2.6. They allow you to import multiple X.509 certificates, including those on smartcards, as subkeys onto a new PGP key so as to retain the integrated identity inherent in such certificate collections. Additionally, X.509 certificates can be imported from PKCS 12 or PEM files as subkeys of existing PGP keys. Export as certificates is also supported.
|Note: PGP supports the import of PKCS-12 and PEM files with the extensions *.p12, *.pfx, *.pem, and *.cer.|
Bundle Keys are useful because users may already have multiple X.509 certificates (often on a smartcard) prior to their PGP deployment. PGP Universal requires a single key for each user/email address. Prior to PGP Desktop 9.5.x, normal PGP keys could not have subkeys associated with them. With PGP Desktop 9.5/9.6, users can now import the keys from an X.509 certificate into a normal PGP key as subkeys.
Bundle Keys allow you to create a PGP key for your identity, which then can have subkeys which correspond to your X.509 certs. Before PGP Desktop 9.5.x, you could not have subkeys, so this was problematic and Wrapper Keys were used instead. With the addition of subkeys, X.509 certificates can now be bundled with a normal PGP key as a single identity, which improves PGP compatibility with X.509 certificates. It is common for an X.509 certificate to have restrictions on the types of operations it can perform, such as message signing only or encryption only. These restrictions will be respected when such certificate becomes a part of PGP key.
|Caution: Only X.509 certificates with private keys can be imported into a PGP key. Otherwise, for public-only X.509 certificate the only option is a wrapper key.|
With a bundle key, you have one PGP identity to correspond with your signing and encryption keys. This means one PGP key to manage, one key to publish. As your certificates are renewed, the same normal PGP key can get the updated certificate as a new subkey, so your keyid doesn't have to change.
|Note: PGP recommends using Bundle Keys for importing X.509 certificates from Smartcards.|
Wrapper keys are an older technology that have been in previous versions of PGP products. Prior to PGP Desktop 9.5, if you wanted to use the keys on an X.509 certificate with PGP Desktop, you imported the keys on the X.509 certificate into PGP Desktop, which "wrapped" a PGP key around them, hence the name Wrapper Key.
Using Wrapper keys creates one PGP key per X.509 certificate in a deterministic way. The keys imported on different computers from the same X.509 certificate will be identical. PGP Desktop 9.5/9.6 will not attempt to link multiple keys created by this method.
|Note: The use of Wrapper Keys is NOT recommended by PGP because they function only in an exclusively S/MIME environment.|
Setting Universal Policy to Control Importation of X.509 Certificates
This provides step-by-step instructions on how to import X.509 Certificates using Smartcards, which will create either a Bundle or Wrapper Key dependent upon the policies you will have set up.
- Go to the Policy/Internal User Policy card in the Universal Admin Console.
- Click on the Internal User Policy that you want to modify. The Policy Options screen for the chosen policy appears.
- Click the Edit button next to Key Settings. The Key Settings screen appears for the policy.
- Click on the Options tab.
- Under the Smartcards section, Next to Import X.509 Certificates from Smartcards as: Choose the option you want from the drop down box.
If User Selectable is chosen, the assistant runs when an unrecognized smartcard is inserted.
- Click the Save button.
Creating Bundle and Wrapper Keys
- Insert Smartcard containing unrecognized certificate OR
- Manually Import the private X.509 certificate file (*.pfx, *.p12) The Import Certificate Assistant appears.
- Choose the appropiate radio button under Import this certificate.
- Click Next to continue.
- Your X.509 certificate will now either be a Subkey of an existing PGP key (bundle key) or a wrapper key.
- A Bundle Key displays in the key properties of the PGP key that has the X.509 as a subkey in PGP Desktop.