Certification Authority

[Roberto]

We installed win2003 advanced server with exchange 2003 enterprise. Then for
the purpose of authenticating the clients with the server and encrypting all
emails, we installed also the MICROSOFT certificate authority.

The first time any of our email user connects to the server, automatically
requests a new certificate (generated by our server) and so far everything
works fine. The server generates the certificate which the user installs in
his machine and from that moment he can sign his emails with that certificate
and later on he can start encrypting his emails.

The only thing is that because this certificate was generated by ourselves,
when the user sends a signed email the first time, the recipient (from an
external domain) has to do some kind of "TRUST THIS ISSUER" process, or
something like that on their client.

We are being audited specifically on this, and the tests we were running
with the auditor about encryption, went fine but at the end he told us that
he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
recommended to install a VERISIGN certificate on the server, so subsequent
certificates generated by the server will have some kind of additional trust
incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
the recipients. These are his exact words:

"If you want to keep using your server as the certification authority, you
should get your server a VERISIGN certificate. This will automatically will
make the subsequent certificates generated by your server being "trusted" by
everyone."

In summary, what we need is:
Keep issuing the certificates ourselves (because that what executive
management wants) but that somehow has some kind of automatic trust
incorporated from our server.... so external clients won't have the "TRUST
THIS ISSUER" additional step when they receive and email from us.

We purchased today a Verisign Mail Server SSL Certificate and installed it
on the default web site on the IIS Manager. The problem with the "TRUST THIS
ISSUER" continues....

What needs to be done?

 

[Corentin Cras-Méneur]

We purchased today a Verisign Mail Server SSL Certificate and
installed it  on the default web site on the IIS Manager. The problem
with the "TRUST THIS  ISSUER" continues....

What about importing the root certificate in the X509 Anchor in all
the Mac?? You need to download the .cer file on the Mac and
double-click it to trigger the Keychain application. You should get a
warning asking you where you want to import it. Just select the
X509Anchor (you need an admin user name and password).

That should solve most of your problems (at least on the Mac you have),

Corentin

 

[John McGhie]

Hi Roberto:

This is very complex: you need to ask the question again in the Windows
Server 2003 newsgroup.

Or rather: the explanation is very complex, the "principle" is quite
simple...

You need to install the Verisign certificate as your Master Certificate.
You then get each client to delete their existing certificate and go through
the process of requesting a new certificate.

This time, they will get a "Child" certificate of the Verisign certificate.
Any outside authentication can then follow the chain of trust all the way
back to Verisign, and will thus accept and trust your signatures without
comment...

Cheers

We installed win2003 advanced server with exchange 2003 enterprise. Then for
the purpose of authenticating the clients with the server and encrypting all
emails, we installed also the MICROSOFT certificate authority.

The first time any of our email user connects to the server, automatically
requests a new certificate (generated by our server) and so far everything
works fine. The server generates the certificate which the user installs in
his machine and from that moment he can sign his emails with that certificate
and later on he can start encrypting his emails.

The only thing is that because this certificate was generated by ourselves,
when the user sends a signed email the first time, the recipient (from an
external domain) has to do some kind of "TRUST THIS ISSUER" process, or
something like that on their client.

We are being audited specifically on this, and the tests we were running
with the auditor about encryption, went fine but at the end he told us that
he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
recommended to install a VERISIGN certificate on the server, so subsequent
certificates generated by the server will have some kind of additional trust
incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
the recipients. These are his exact words:

"If you want to keep using your server as the certification authority, you
should get your server a VERISIGN certificate. This will automatically will
make the subsequent certificates generated by your server being "trusted" by
everyone."

In summary, what we need is:
Keep issuing the certificates ourselves (because that what executive
management wants) but that somehow has some kind of automatic trust
incorporated from our server.... so external clients won't have the "TRUST
THIS ISSUER" additional step when they receive and email from us.

We purchased today a Verisign Mail Server SSL Certificate and installed it
on the default web site on the IIS Manager. The problem with the "TRUST THIS
ISSUER" continues....

What needs to be done?

--
Don't wait for your answer, click here: http://www.word.mvps.org/

Please reply in the group. Please do NOT email me unless I ask you to.

John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:[email protected]

 

[Roberto]

Thanks a lot John, sounds simple enough, but if possible I need information
on how to do that.

Roberto.

 

[John McGhie]

Yes, you do, and you will get it if you check in with the good folks down
the hall. The Windows Server 2003 party is five doors down on the right,
whee all the noise is coming from...

Try microsoft.public.windows.server.networking group.

Cheers

Thanks a lot John, sounds simple enough, but if possible I need information
on how to do that.

Roberto.

--
Don't wait for your answer, click here: http://www.word.mvps.org/

Please reply in the group. Please do NOT email me unless I ask you to.

John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:[email protected]