Symantec Encryption Management Server includes over one hundred certificates from well known Certificate Authorities. These are shown in the administration console under Keys / Trusted Keys.
The User ID field for many of these certificates is identical. For example, there are over 10 trusted certificates with a User ID of VeriSign. This can make it difficult to determine whether a certificate that an administrator wishes to add to Trusted Keys is already present.
The User ID field shows the Organization (O) attribute from the Subject field of the certificate.
For example, a trusted certificate with a User ID of Thawte has the following attributes in its Subject field:
CN = Thawte Timestamping CA OU = Thawte Certification O = Thawte L = Durbanville S = Western Cape C = ZA
To identify a trusted certificate, click on its User ID and make a note of its Fingerprint. This is unique for each certificate and is displayed in upper case. In Microsoft Windows, double click on the certificate to view its properties and under the Details tab note its Thumbprint which is displayed in lower case. If Fingerprint and Thumbprint are identical (ignoring the case of the characters) then the certificates are identical.
Note that if an administrator adds a certificate to Trusted Keys that is already present, the existing certificate will be replaced; a duplicate User ID will not be created.
If the User ID field under Trusted Keys displayed the Common Name (CN) attribute from the Subject field of the certificate, it would be quicker to identify certificates because Common Name is generally unique. This change is under consideration for a future release of Symantec Encryption Management Server.
TIP: If importing a Root or Intermediate Certificate is necessary, an easy way to visibly know which cert was just imported is by checking the following three boxes upon import:
Trust key for verifiying mail encryption keys
Trust key for verifying SSL/TLS certificates
Trust key for verifying keyserver client certificates
The default trust for certificates is "Mail, TLS" Upon import and checking all the boxes above, the certificate will show up as "Full", which will be easy to distinguish as the new cert just imported. Using the Thumbprint, however, is the only way to know for sure if the actual certificate was imported.
Subscribing will provide email updates when this Article is updated. Login is required.