When you do certificate-based encryption, PK Protect looks for X.509 certificates and OpenPGP keys first in your system’s local certificate stores. These stores are managed by Windows and contain your personal certificates as well as any certificates that you have received from other people (by email, for example) to use to authenticate digital signatures or encrypt files.
Many organizations create a central repository for digital certificates on an LDAP-compliant directory server. (LDAP—Lightweight Directory Access Protocol—is a standard for accessing information over a network.) People in the organization can then access certificates in the central certificate store as if the certificates were on their local system. Similar key stores exist for OpenPGP keys.
If you have access to a key or certificate server, you can specify the server in PK Protect. PK Protect Attachments can then query the store to access its keys from Microsoft Outlook to encrypt.
PK Protect comes with one directory server certificate store already defined for you—A public VeriSign directory server is defined, but not activated. Certificates purchased from VeriSign are accessible on the VeriSign server.
You can specify multiple directories containing certificates for PK Protect to use.
Note: PK Protect uses certificates stored on a directory server only for encrypting. Certificates you use to digitally sign files or to authenticate digital signatures must be in local stores on your own system.
When encrypting email attachments for email recipients, PK Protect uses certificates stored on a directory server only for message recipients specified in the TO: or CC: lines of an email message.
The ability to access certificate stores on other directory servers uses the Directory Integration feature.
To specify a directory for PK Protect to search for certificates:
1. Click Configure in the Certificates Stores section of Security options to see a list of certificate stores PK Protect can search.
The Certificate Stores list contains an item for every certificate store PK Protect knows about. A store is labeled either Local, KeyServer or LDAP in the Type column, depending on whether the store is on your local system, serves OpenPGP keys, or serves X.509 certificates on an LDAP-compliant directory server.
A check in the check box to the left of a store indicates that PK Protect looks for certificates there. Clear the box if you do not want PK Protect to use certificates from that store.
2. Click Add to open a new Server Properties dialog. Fill in the fields with the information PK Protect needs to access the directory. (You may need to get this information from a system administrator.)
3. After you close the Server Properties dialog, click OK on the Certificates Stores page to save the new entry for PK Protect to use.
To edit properties of a directory in the Certificate Stores list
Select a store in the list.
Click Edit to display the Server Properties dialog for the store. Make your changes on this page.
Close the Server Properties page. Click OK on the Certificates Stores page to save your changes.
To delete a no-longer usable entry for a directory from the Certificate Stores list
Select the entry in the list and click Delete.
If you may want to use the entry again in the future, do not delete it. Instead, just clear its check box to deactivate it. PK Protect does not use items that are not checked.
You cannot delete the VeriSign directory. If you do not want to use it, clear the check box.
To query a selected directory server to find certificates
Select a server to query from the Certificate Stores list.
Choose Query Server to open the Advanced Directory Search dialog. Enter your query here.
To change the order in which PK Protect searches listed stores for certificates
Select a store in the Certificate Stores list and click Move Up or Move Down to change the store's position in the list.
PK Protect searches stores in the order they are listed and stops searching when all required certificates are found. For best performance, move stores to the top of the list that are most likely to contain the certificates you often use.
When Multiple Matching Certificates Are Found
Ordinarily, an entry in an LDAP directory contains at most one certificate, but it may contain more. If PK Protect finds multiple matching certificates in the same LDAP entry, PK Protect picks the (valid) certificate whose expiration date is farthest in the future.
If PK Protect finds multiple LDAP entries that each contain a matching certificate for some recipient, PK Protect uses a certificate from each entry to encrypt the archive and issues a warning that multiple certificates were found. The certificates may belong to different people having the same name, in which case the owner of any of them can decrypt.