PGP Encryption Server (Symantec Encryption Management Server) enables the Certificate Revocation Service by default
search cancel

PGP Encryption Server (Symantec Encryption Management Server) enables the Certificate Revocation Service by default

book

Article ID: 174739

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

The PGP Encryption Server (Symantec Encryption Management Server) Certificate Revocation service is enabled by default.

Environment

PGP Encryption Server 3.3.2 MP13 and above.

Cause

The Certificate Revocation service publishes the Certificate Revocation List (CRL) on http.  The PGP Encryption Server listens on port 80 and third parties check the CRL by connecting over http and accessing the *.crl file.

All certificates contain an attribute called CRL Distribution Points and this attribute contains the URL of the Certificate Revocation List. This applies both to certificates issued by well known Certificate Authorities and those issued by The PGP Encryption Server .

Email clients check the CRL when sending an encrypted message in order to confirm that the certificate to which they are encrypting the message has not been revoked.

Generally, if the email client cannot check the CRL they will still encrypt the message. By default, The PGP Encryption Server will also encrypt messages even if the recipient's CRL cannot be checked, though it will issue a warning in the Mail log. It will also check using OCSP which is an alternative mechanism to CRL.

Resolution

The PGP Encryption Server automatically creates S/MIME certificates for internal users if an Organization Certificate is present. If no Organization Certificate exists, the Certificate Revocation service can be disabled. This will stop it from listening on TCP port 80 and accepting inbound http connections.

If the PGP Encryption Server does have an Organization Certificate, internal users will be issued with S/MIME certificates. To comply with standards, it is best practice to enable the Certificate Revocation service and permit inbound http connections from the Internet. In addition, it should be permitted to access the CRLs of third parties by making outbound connections over http.

Additional Information

235862 - Symantec Encryption Management Server unable to process mail when using OCSP

163194 - Symantec Encryption Management Server may encrypt messages to revoked S/MIME certificates if the CRL or OCSP is unavailable

171558 - Inbound S/MIME messages fail to be decrypted if Encryption Management Server cannot make outbound HTTP connections

Powered by Wolken Software