Ian Kirk – SQL DBA

So this topic is pretty far off the path of SQL server, but it’s something that I spent a lot of time trying to get resolved over the past couple of weeks.  It drained a lot of my time, my colleagues, as well as Symantec / PGP technical support.  I couldn’t find any clear information from their forums or knowledge base, so I figured I’d get it out in a form that I would have appreciated.

PGP Universal Server is an email (and other stuff) encryption application, primarily for enterprise use.  One component of PGP Universal Server is the Web Messenger.  Now, you might have seen the functionality of the web messenger before.  We (the corporate empire that has your personal information) want to email you about something pretty private and want to send you an encrypted email.  However, you quite likely don’t have any sort of encryption routine for your personal email, so instead we ask you to visit a server in our DMZ to read your email over a secure connection.  In this manner we’re doing a bit of CYA and protecting your private information.

Well in order for you to visit our DMZ server and read your email securely, we’ll need to drop an SSL certificate out there on the web server.  Sounds simple, right?  Not always.

In our particular case we were using a 2048 bit certificate issued by Entrust in order to create the security for the HTTPs connection.  Adding the certificate was not particularly hard (disregard the firewall hell I ended up in), but we continued to receive errors about the certificate not being trusted.  Digging around a bit, it was clear that we needed to get the root and intermediate certificate for Entrust installed onto the web server in order to provide the browser with the entire certificate chain.  While this isn’t a particularly difficult thing to accomplish on a normal server, Windows or Linux, it proved quite tough when we didn’t have access to the Linux operating system for the PGP server.

We tried exporting the certificate from PGP and into IIS, then back out of IIS with the PFX option to “include all certificates in the chain,” and finally into PGP.  That didn’t change anything.  We called technical support and stumped them for several hours until they gave us the glimmer of a solution that eventually got us into place.  That solution?

1. Log into PGP Universal Server with administrative rights (I was superuser, I don’t know what least permissions for this might be)
2. Go to the Keys > Trusted Keys tab
3. At the bottom of the list, choose “Add a trusted key”
4. Import / Paste your root certificate and select the top two check boxes: “Trust for TLS” and “Trust for SSL”
5. Repeat the process for the intermediate certificate
6. Go to the Services > Web Messenger tab
7. Disable the Web Messenger service, and once it refreshes, re-enable Web Messenger
8. Test your SSL connection via a new browser window to see if your error has gone away

An interesting observation was that while Entrust was already listed on the Trusted Keys screen, that certificate was for the 1024 bit chain, whereas the ones that I needed to import were for the 2048 bit certificates.

I would wager that this scenario would be the same for most any other intermediate certificate you need to add to PGP Universal Server.  It’s unfortunate that there isn’t anything clearly documented about where to go for this functionality, as it seems like plenty of people will (or do) stray from their default list of trusts.

I may take some time and share a few other exciting items from our recent trials with PGP…