How to publish digital ID (certificate) to GAL ?

[Enid]

Here we want to use digital ID (certificate) to announce confidential email
to all the colleagues. If the user wants to read the confidential mail, he
must first imports the digital certificate manually from the mail issuer. I
find there is a function "Publish digitial ID to GAL", is that mean if the
mail issuer publish the digital ID to GAL, then all the GAL users will get
the digitial ID automatically and will be able to read the confidential mail
without import digitial ID ? How to publish digital ID (certificate) to GAL ?
I always get "No valid security setting to publish...." when click the
"Publish digital ID" button. Anyone have idea ?

 

[neo [mvp outlook]]

Before answering, I have one question. Is your site using an internal
certificate authority?

 

[Enid]

YES ! Here we use Microsoft CA Server to issue the digital certificate.

 

[Enid]

YES ! Here we use microsoft CA server to issue the digital certificate.

 

[neo [mvp outlook]]

Okay, your question is a bit more complex that just what is the "publish
digital id to gal" for. In an environment that has established an
Enterprise CA and is storing certificates in Active Directory at the time
they are created for their users, then the "publish digital id to gal"
should be disabled via a policy.

The reason for this is that you don't want your users uploading a 3rd party
certificate S/MIME certificate(s) into you Active Directory environment.
Instead you should probably look at the whitepapers on Microsoft's site on
how to establish a Public Key Infrastructure (PKI).

These whitepapers should help you answer the first questions about "without
importing digital id?" or "how to publish digital id?" because an Enterprise
CA will let you establish templates that will have the CA service publish
the user certificate to active directory the instance it is issued. Since
it is automatic, the user doesn't have to do anything except maybe wait 24
hours so that a exchange client like Outlook 2003 running in cacahed mode
downloads the next differential update of the offline address book.

Now I'll climb down off my soap box and do a bit of generalization about the
"publish digital id to the gal" button. Basicallly this button was designed
for users to upload 3rd party s/mime certificates. If this button is
selected and no certificates currently exist on the workstation in question
that is designed for S/MIME use, then the error will be generated.

 

[Enid]

I am so confused !
"an Enterprise CA will let you establish templates that will have the CA
service publish the user certificate to active directory the instance it is
issued. "
In my environment, I did't see any user certificate in any domain computer.
Why ? Our outlook user still need to manually import the mail issuer's
certificate to read the encrypted mail.

 

[neo [mvp outlook]]

Installing and supporting a certificate authority is not an Outlook
question. However to answer the question, users wouldn't see a certificate
installed on their workstation unless the site went with auto-enrollment or
the user requested a certificate.