KB Article #101856

Proxy security and Entrust certificates

 Proxy security and Entrust certificates

Summary:

How do I configure EMF to encrypt messages for Entrust users?

Symptom:

I received a signed message from an Entrust user and it has 2 certificates; what do I do?

Note: This technote assumes you are already familiar with setting up proxy security. Please see the administrator's guide if you are not.

Detailed Information:

Many certificate authorities issue just one certificate for both signing and encrypting. Entrust issues two separate certificates. This means that when you add an Entrust user to the EMF directory and apply a "proxy encrypt/sign" policy to that user, you must be sure that the user record is properly configured to encrypt using the Encrypting certificate.

If the wrong certificate is used for encryption, the Entrust user will get errors when they receive mail from EMF.

Resolution:

You can tell which Entrust cert is for encryption and which is for signing if you go to properties for each one.

In EMF webadmin, go to Set Up Security > External Certificates (both certificates will appear on the list with the user's name).

View each certificate, and note the "Can be used for" section. One will specify encryption only, the other signing only.

Here is a trick to set up Entrust certificates properly:

1. Check the properties of both certificates, and set the ENCRYPTION one to be trusted and the SIGNING one to be untrusted

2. On the user record (usually in a "Secure Users" folder under the External folder), go to the User Security section and add the encryption certificate - it's easy to tell which is correct because only the encryption cert will have a green "trusted" checkmark. When this certificate is the first one added, it becomes the one used for encryption.

3. Once the encryption cert is added to the user record and set as the cert to be used for the encryption, go ahead and trust the signing cert and add it to the user record too.

4. When setting the encryption algorithm, use Triple-DES. Some of RC2 options don't work well with Entrust. Commercial Strength 112/Triple-DES is the default.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.