Configure Certificate Stores
When you do certificate-based encryption, Smartcrypt looks for X.509 certificates and OpenPGP keys first in your system’s local certificate stores. These stores are managed by Windows and contain your personal certificates as well as any certificates that you have received from other people (by email, for example) to use to authenticate digital signatures or encrypt files.
Many organizations create a central repository for digital certificates on an LDAP-compliant directory server. (LDAP—Lightweight Directory Access Protocol—is a standard for accessing information over a network.) People in the organization can then access certificates in the central certificate store as if the certificates were on their local system. Similar key stores exist for OpenPGP keys.
If you have access to a key or certificate server, you can specify the server in Smartcrypt. Smartcrypt Attachments can then query the store to access its keys from Microsoft Outlook to encrypt.
Smartcrypt comes with one directory server certificate store already defined for you—A public VeriSign directory server is defined, but not activated. Certificates purchased from VeriSign are accessible on the VeriSign server.
You can specify multiple directories containing certificates for Smartcrypt to use.
Note: Smartcrypt uses certificates stored on a directory server only for encrypting. Certificates you use to digitally sign files or to authenticate digital signatures must be in local stores on your own system.
When encrypting email attachments for email recipients, Smartcrypt uses certificates stored on a directory server only for message recipients specified in the TO: or CC: lines of an email message.
The ability to access certificate stores on other directory servers uses the Directory Integration feature.
To specify a directory for Smartcrypt to search for certificates:
1. Click Configure in the Certificates Stores section of Security options to see a list of certificate stores Smartcrypt can search.
The Certificate Stores list contains an item for every certificate store Smartcrypt knows about. A store is labeled either Local, KeyServer or LDAP in the Type column, depending on whether the store is on your local system, serves OpenPGP keys, or serves X.509 certificates on an LDAP-compliant directory server.
A check in the check box to the left of a store indicates that Smartcrypt looks for certificates there. Clear the box if you do not want Smartcrypt to use certificates from that store.
2. Click Add to open a new Server Properties dialog. Fill in the fields with the information Smartcrypt needs to access the directory. (You may need to get this information from a system administrator.)
3. After you close the Server Properties dialog, click OK on the Certificates Stores page to save the new entry for Smartcrypt to use.
Select a store in the list.
Click Edit to display the Server Properties dialog for the store. Make your changes on this page.
Close the Server Properties page. Click OK on the Certificates Stores page to save your changes.
Select the entry in the list and click Delete.
If you may want to use the entry again in the future, do not delete it. Instead, just clear its check box to deactivate it. Smartcrypt does not use items that are not checked.
You cannot delete the VeriSign directory. If you do not want to use it, clear the check box.
Select a server to query from the Certificate Stores list.
Choose Query Server to open the Advanced Directory Search dialog. Enter your query here.
Select a store in the Certificate Stores list and click Move Up or Move Down to change the store's position in the list.
Smartcrypt searches stores in the order they are listed and stops searching when all required certificates are found. For best performance, move stores to the top of the list that are most likely to contain the certificates you often use.
When Multiple Matching Certificates Are Found
Ordinarily, an entry in an LDAP directory contains at most one certificate, but it may contain more. If Smartcrypt finds multiple matching certificates in the same LDAP entry, Smartcrypt picks the (valid) certificate whose expiration date is farthest in the future.
If Smartcrypt finds multiple LDAP entries that each contain a matching certificate for some recipient, Smartcrypt uses a certificate from each entry to encrypt the archive and issues a warning that multiple certificates were found. The certificates may belong to different people having the same name, in which case the owner of any of them can decrypt.