Sending and receiving S/MIME encrypted email with third parties who do not use PGP Server (Symantec Encryption Management Server)
search cancel

Sending and receiving S/MIME encrypted email with third parties who do not use PGP Server (Symantec Encryption Management Server)

book

Article ID: 158199

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

The PGP Server (Symantec Encryption Management Server) supports the exchange of S/MIME encrypted messages with external users. In order to exchange S/MIME email:

  • You need to trust the third party's certificate chain; the certificate(s) that issued the third party's personal certificate.
  • You need the third party's personal public S/MIME certificate.
  • The third party needs to trust your public Organization Certificate because it is what issues your personal certificate.
  • The third party needs your personal public S/MIME certificate.

​Some of this initial configuration can be automated:

  • If your PGP Server has the Keyserver service enabled and it is reachable from the Internet then the third party may be able to search your key server for certificates.
  • If the third party has a Keyserver such as the PGP Server that is reachable from the Internet then your PGP Server can search it for certificates.
  • If your PGP Server has the Web Email Protection service enabled, third parties can be permitted to upload their public personal certificates and download your public Organization Certificate.

Sometimes it is not possible to automate this initial exchange of public certificates.

Environment

  • Encryption Management Server 3.4.2 and above.
  • Encryption Desktop 10.4.2 and above.

Resolution

Below is the easiest way to exchange public certificates manually with a third party who is using Microsoft Outlook.

The Encryption Management Server administrator does the following:

  1. Create or import an Organization Certificate in the Encryption Management Server administration console from the Keys / Organization Keys page. The Organization Certificate will almost certainly be a self-signed certificate because of the difficulty of obtaining a trusted Root Signing Certificate (subCA) from an external certificate authority.
  2. Within 24 hours, Encryption Management Server will issue all Internal Users with personal S/MIME certificates. Note that it is not possible to prevent all users from being issued with a personal certificate.
  3. If the public issuing certificates of the third party's personal certificate are available, you should import them under Keys / Trusted Keys in the administration console and trust them for Mail and, optionally, TLS.
  4. Import the personal public certificate of the third party under Users / External Users in the administration console. This will create an external user account for the third party. Alternatively, if you are using Web Email Protection, configure Web Email Protection to allow the third party to upload their own public certificate.

Once the external user has an account with an S/MIME certificate in Encryption Management Server, you can send them an S/MIME signed and encrypted message.

The external user does the following:

  1. In Outlook, a status line like this will appear at the top of the S/MIME message from the internal user:
  2. The external user clicks on the signature button (the exclamation mark icon) to open the Message Security Properties page. This shows the security layers of the message.
  3. They click on the Signer layer:
  4. They click on the Trust Certificate Authority button. This will show information about the Encryption Management Server public Organization Certificate. They confirm that they wish to trust it by clicking the Trust button:
  5. They confirm that they wish to install the public Organization Certificate. This will add it to the Trusted Root Certification Authorities container in their Windows certificate store:
  6. They refresh their Outlook Inbox by clicking on Sent Items and then on Inbox again.
  7. The signature on the S/MIME message now appears as valid and trusted.
  8. They select the S/MIME message and click on the Reply button to reply to it.
  9. As soon as they click on the Reply button, Outlook automatically adds the internal user's personal public S/MIME certificate to the Other People container in the Windows certificate store. Even if the external user does not click the Send button, this certificate remains in the external user's Other People container indefinitely.
  10. The external user will now be able to exchange S/MIME encrypted messages with the internal user.

 

 

Additionally, there was a known issue with PGP Server 10.5.1 that did not include a certain attribute causing some issues sending proper SMIME Messages. This issue is resolved in PGP Server 10.5.1 MP2.
EPG-28860