Frequently Asked Questions

Entrust Secure Email Certificates

  1. Do both parties need an Entrust Secure Email cert to communicate?
  2. How do the parties exchange certificates if they are encrypting?
  3. How does Entrust protect these private keys since they keep a backup of them for us?
  4. What should the customer administrator do in the following situations?
  5. Does a re-issue of a certificate last for a year?
  6. Can I use the Secure Email certificates for MS Office Document signing?
  7. Does this ID offer non-repudiation?
  8. Can I use my personal email account to obtain the certificate my corporation has purchased for me?
  1. Do both parties need an Entrust Secure Email cert to communicate?
    • No, both parties just need an X.509 cert (public or private, any vendor)
    • Encryption — both parties should need an x.509 s/mime cert
    • Signing — only the signer needs a cert, the verifier doesn’t
  2. How do the parties exchange certificates if they are encrypting?
    • There is no central directory to publish the certs to, therefore the users who wish to encrypt need to exchange certs manually. This is commonly done by sending a signed email to the recipient, which “harvests” or collects the encryption cert
  3. How does Entrust protect these private keys since they keep a backup of them for us?
    • The keys are stored in Entrust’s secure facility, protected by a security level that no one customer would be able to provide on their own; it is the same protection offered by our public certificate business. They have the same level of protection as our CA keys, including aspects of physical security (room access), logical security (dual custody for access) and storage security (encrypted and integrity-protected with CA keys)
    • This is not a case of any Entrust IT employee could get at these.
  4. What should the customer administrator do in the following situations?
    • User lost their password — Re-issue the certificate to the user at no cost; it will include the previous private keys so that you can still decrypt anything encrypted with older keys.
    • User’s machine is destroyed — If the user still remembers their password, they can use the same pickup link to re-pickup their certificate, or if they don’t have the email, they can get the Admin to resend the pickup link
    • User suspects their key has been compromised — Revoke and re-issue the certificate to the user at no cost; it will include the previous private keys so that you can still decrypt anything encrypted with older keys.
    • Employee departs the organization — Revoke the certificate. The user will no longer be able to sign on behalf of the organization
    • Renewal — Fill out the certificate request form again — as long as the email address is the same, the previous certificates and keys will be included in the new certificate
    • Employee name change — if the employee wants to change their email address they would be required to purchase/use another license/inventory. To decrypt old emails they would need to maintain access to their previous certificate; they would be treated as separate ID’s.
  5. Does a re-issue of a certificate last for a year?
    • No, a re-issue has the same expiry as the original certificate, because it is at no charge. Only a renewal would offer a new term, and as a result would use another license/inventory
  6. Can I use the Secure Email certificates for MS Office Document signing?
    • Yes you can.
  7. Does this ID offer non-repudiation?
    • In order to offer the fully automated key backup, Entrust generates the private key on the Entrust server, and delivers it to the end-user in a P12 format. Because it is a dual-usage single key pair, the signing key is also generated on the Entrust server and not on the client machine. This may negate non-repudiation. We recommend you discuss this with your legal team.
  8. Can I use my personal email account to obtain the certificate my corporation has purchased for me?
    • No. Because secure Email Enterprise certificates are Class II certificates, this means Entrust validates the organization and the email domain. The administrator approves or denies the certificate request. If your request does not match an email domain already verified by Entrust in your account, you will not be able to request the certificate. So since we cannot verify that “hotmail” or “gmail” are domains owned by your organization, you cannot issue a Secure Email Enterprise certificate to those types of email addresses.
    • However, you would be able to issue the Secure Email Personal certificate under a hotmail account, because we do not verify the email domain.