Entrust Messaging Server
Encrypted Email Communication with PNNL
Pacific Northwest National Laboratory has installed an appliance that performs centralized certificate harvesting and management for certificates that are not available directly. When someone at PNNL attempts to send encrypted email to a recipient whose certificate is either not available or is not currently trusted by PNNL, the messaging server requests a certificate from the designated recipient. Once the messaging server receives the certificate, the server encrypts the original email with the certificate and sends it to the recipient.
If you have received an email from firstname.lastname@example.org requesting your certificate, the body of the email contains the name of the PNNL staff member on whose behalf the messaging server is requesting a certificate. Certificates trusted by PNNL are described under Trusted Certificate Authorities below. If you would like help sending your certificate, see Help me send my certificate.
By replying to the email with your certificate, your certificate and public key will be stored on the Messaging Server. You should not receive another certificate request until your certificate expires.
The easiest way to do this is to reply to the email request you received from email@example.com, include the original message text, and then digitally sign the message. Most email clients will have an option or button to "Sign" or "Digitally Sign" the message.
The PNNL EMS system needs your digital certificate and is able to accept it in the following formats: S/MIME - .p7c/.p7b file format; PGP; or OpenPGP format as an ASCII armored .ASC file. Replying to the original message with the original text ensures that EMS receives back the authentication token in the request that it expects as well as the email address of the PNNL staff member who sent the email. Fulfilling this will ensure that the secure message intended for you is able to be successfully delivered in a way that can be easily decrypted by you.
The following websites have instructions for digitally signing messages with some common clients:
Below is the list of the trusted root certificate authorities. Certificates signed by one of these CAs are trusted by PNNL and automatically harvested by the messaging server.
- cn=DoD CLASS 3 Root CA,ou=PKI,ou=DoD,o=U.S. Government,c=US
- cn=DoD Root CA 2,ou=PKI,ou=DoD,o=U.S. Government,c=US
- cn=ECA Root CA 2,ou=ECA,o=U.S. Government,c=US
- cn=ECA Root CA,ou=ECA,o=U.S. Government,c=US
- ou=Pacific Northwest National Laboratory,ou=department of energy,o=u.s. government,c=US
- ou=Headquarters,ou=department of energy,o=u.s. government,c=US
- cn=DOD EMAIL CA-19,ou=PKI,ou=DoD,o=U.S. Government,c=US