|
Home > Archive > microsoft.public.exchange2000.admin > November 2002 > Certificate Services and KMS questions
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Certificate Services and KMS questions
|
|
| Fred Percynski 2002-11-15, 9:23 am |
| [Tried posting this in microsoft.public.exchange2000.kms but got no response
so hopefully there are some admins out there who can answer my questions.]
We currently have a POP3 / Outlook Express environment migrating to Exchange
/ Outlook. Thirty employees have VeriSign digital certs for signing and
encrypting email with internal and external contacts. Ideally what I want
to happen is that I can import the VeriSign digital certs into Active
Directory. This way any all the accounts in Active Directory has access to
the user's public key. But I don't think this is possible, is it? From
what I
understand the only way to add the user's digital cert into Active Directory
is to let KMS handle it. And I think I read that KMS only supports
Microsoft's digital certs. Is all of this correct so far?
I read in Scott Scholl's book that Certificate Services can be installed in
"Enterprise Subordinate CA" mode (page 629). However the book doesn't
elaborate on this. Does this configuration require a digital cert from a
company like VeriSign to "prove" to the outside world who we are, and in
turn rely on Certificate Services and KMS to issue Microsoft digital certs
to each account in Active Directory? If so I can't locate anything on the
VeriSign or Thawte web sites about purchasing this type of digital cert.
Thanks in advance for helping me to understand all this stuff! And if you
have links to documents I would appreciate reading any information
available.
-Fred
| |
| Evan Dodds 2002-11-15, 6:23 pm |
| You pretty much can choose between:
1) Using KMS and allocating your own (by default, untrusted) certs
or
2) Buying and installing one-off personal certs from a vendor.
If you've got the certs into the local machines for each user already, you
should be able to "Publish to GAL" from within Outlook. It won't let you
archive or recover these certificates like KMS would, but it'll work just
fine for encrypted and signed email.
If you configure a CA and KMS, you'll typically want to sign your own root
CA certificate and provide your root certificate to those with whom you
require signed or encrypted mail. If you're concerned enough about mail
security to use KMS, would you really want to place your PKI as subordinate
to a 3rd-party vendor's PKI? Also, if any vendors did provide this service,
it would likely not be an inexpensive offering.
"Fred Percynski" <fpercynski@athersys.com> wrote in message
news:OVkq6MLjCHA.2460@tkmsftngp09...
> [Tried posting this in microsoft.public.exchange2000.kms but got no
response
> so hopefully there are some admins out there who can answer my questions.]
> We currently have a POP3 / Outlook Express environment migrating to
Exchange
> / Outlook. Thirty employees have VeriSign digital certs for signing and
> encrypting email with internal and external contacts. Ideally what I want
> to happen is that I can import the VeriSign digital certs into Active
> Directory. This way any all the accounts in Active Directory has access
to
> the user's public key. But I don't think this is possible, is it? From
> what I
> understand the only way to add the user's digital cert into Active
Directory
> is to let KMS handle it. And I think I read that KMS only supports
> Microsoft's digital certs. Is all of this correct so far?
>
> I read in Scott Scholl's book that Certificate Services can be installed
in
> "Enterprise Subordinate CA" mode (page 629). However the book doesn't
> elaborate on this. Does this configuration require a digital cert from a
> company like VeriSign to "prove" to the outside world who we are, and in
> turn rely on Certificate Services and KMS to issue Microsoft digital certs
> to each account in Active Directory? If so I can't locate anything on the
> VeriSign or Thawte web sites about purchasing this type of digital cert.
> Thanks in advance for helping me to understand all this stuff! And if
you
> have links to documents I would appreciate reading any information
> available.
> -Fred
>
>
>
|
|
|
|
|