Problem:

This article summarizes the EMF SPN setup steps, discussed in full in the EMF Admin Guide.  The summary below should be sufficient if S/MIME concepts are already understood.

Details:

Here is a quick summary of the SPN setup steps between EMF servers at domains "A" and "B" (which domain is "A" and which is "B" is arbitrary):

1) Each domain generates a Local Root Key (root certificate):

    - In Setup > Secure Domains and Certificates > Local Certificates, choose Generate
    - enter organization name (this will identify the certificate)
    - type local secure domain (the domain specified at EMF install time is automatically a local secure domain; other local secure domains must be added manually - see NOTE below)
    - select public key length (1024 recommended)

    The certificate should:

    - appear as Certificate in Local Certificates section
    - appear as a Root key in Trusted Root Keys section
    - should be selected for local secure domain as SPN and Proxy Signing cert

    You may wish to export or publish the root key for present or future Proxy Security usage.

2) In Setup > Security > Pending SPN Links, Domain B checks Autorespond and Forwarding name/address.

3) In Setup > Security > Pending SPN Links, Domain A selects Request, specifies fully qualified domain name of Domain B, and waits for autoresponse (needs to click Refresh until response appears).

4) After successful exchange, both A and B will have entries in their Pending Links section, and need to:

    In Setup > Security > Pending SPN Links:

    - select Accept to open the cert
    - verify fingerprints (out-of-band)
    - select Trust Unconditionally
    - select Accept at bottom

    This will create a domain B record in A's External folder and v.v., with "Use SPN" checked (but not "Require").

5) Test SPN with Trace level logging (temporarily set the Policy Engine logging to trace level):

    - sending domain looks for events:

      8005 -- Preparing to S/MIME SPN encrypt/sign this message partition.
      8006 -- This partition was S/MIME SPN encrypted and signed.

    - receiving domain looks for event:

      8207 -- Message was S/MIME SPN encrypted and signed, and was
              successfully decrypted and verified.

    - There may be other 8xxx events related to the SPN.

6) Wait 24 hours, then set "Require" in each External domain record.  This delay is to allow any messages in transit between "A" and "B" that are not SPN-encrypted to flush.

Additional Information:

Prior to EMF 6.2, all requests (from either A or B) are always made by EMF using the default (install-time) local certificate, so to setup with an non-default certificate/domain, you need to have the other site request it from you.  This is a general technique - each site requests non-default certificates from the other site.  Multiple requests can be made for multiple non-default certificates, and the responding site simple discards extra requests.

For example, if site A has local domains A1 and A2, and site B has local domains B1 and B2, the following sequence sets up 4 SPNs using all 4 local domains:

- admin at site A creates Local Certificates for domains A1 (default) and A2, and associates them
- admin at site B creates Local Certificates for domains B1 (default) and B2, and associates them
- admin at site A requests SPN with B1 -- A's EMF server sends request using cert for domain A1
- after both admins accept, domain record for A1 exists at B and domain record for B1 exists at A

- admin at site A requests SPN with B2 -- A's EMF server sends request using cert for domain A1
- admin at site B discards the request, since B already has a domain record and cert for A1;  however, B still sends the auto response
- admin at site A accepts the response, creating domain record for B2

- admin at site B requests SPN with A2 -- B's EMF server sends request using cert for domain B1
- admin at site A discards the request, since A already has a domain record and cert for B1; however, A still sends the auto response
- admin at site B accepts the response, creating domain record for A2

The result is that site A has SPN domain records for B1 and B2, and site B has SPN domain records for A1 and A2.

As of EMF 6.2, any local secure domain can be selected in an SPN link request.