Jump to content

Certificate Authority

Guest Roberto

By Guest Roberto
in Windows 2003 Server

 Share

Recommended Posts

Guest Roberto

Guest Roberto

Posted
Posted

How do I do that?

 

Thanks

 

=====================================================

 

Hi Roberto:

 

This is very complex: you need to ask the question again in the Windows

Server 2003 newsgroup.

 

Or rather: the explanation is very complex, the "principle" is quite

simple... :-)

 

You need to install the Verisign certificate as your Master Certificate.

You then get each client to delete their existing certificate and go through

the process of requesting a new certificate.

 

This time, they will get a "Child" certificate of the Verisign certificate.

Any outside authentication can then follow the chain of trust all the way

back to Verisign, and will thus accept and trust your signatures without

comment...

 

Cheers

 

=====================================================

 

On 20/7/07 6:26 AM, in article

82B370D6-744F-457D-9365-66C6034CC03A@microsoft.com, "Roberto"

<Roberto@Newsgroups.com> wrote:

> We installed win2003 advanced server with exchange 2003 enterprise. Then for

> the purpose of authenticating the clients with the server and encrypting all

> emails, we installed also the MICROSOFT certificate authority.

>

> The first time any of our email user connects to the server, automatically

> requests a new certificate (generated by our server) and so far everything

> works fine. The server generates the certificate which the user installs in

> his machine and from that moment he can sign his emails with that certificate

> and later on he can start encrypting his emails.

>

> The only thing is that because this certificate was generated by ourselves,

> when the user sends a signed email the first time, the recipient (from an

> external domain) has to do some kind of "TRUST THIS ISSUER" process, or

> something like that on their client.

>

> We are being audited specifically on this, and the tests we were running

> with the auditor about encryption, went fine but at the end he told us that

> he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately

> recommended to install a VERISIGN certificate on the server, so subsequent

> certificates generated by the server will have some kind of additional trust

> incorporated, so the "TRUST THIS ISSUER" process will not be necessary for

> the recipients. These are his exact words:

>

> "If you want to keep using your server as the certification authority, you

> should get your server a VERISIGN certificate. This will automatically will

> make the subsequent certificates generated by your server being "trusted" by

> everyone."

>

> In summary, what we need is:

> Keep issuing the certificates ourselves (because that what executive

> management wants) but that somehow has some kind of automatic trust

> incorporated from our server.... so external clients won't have the "TRUST

> THIS ISSUER" additional step when they receive and email from us.

>

> We purchased today a Verisign Mail Server SSL Certificate and installed it

> on the default web site on the IIS Manager. The problem with the "TRUST THIS

> ISSUER" continues....

>

> What needs to be done?

 

--

Don't wait for your answer, click here: http://www.word.mvps.org/

 

Please reply in the group. Please do NOT email me unless I ask you to.

 

John McGhie, Consultant Technical Writer

McGhie Information Engineering Pty Ltd

http://jgmcghie.fastmail.com.au/

Sydney, Australia. S33°53'34.20 E151°14'54.50

+61 4 1209 1410, mailto:john@mcghie.name

 

=====================================================

  • Replies 1
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Ryan Hanisco

Guest Ryan Hanisco

Posted
Posted

RE: Certificate Authority

 

Hello Roberto,

 

Essentially what you'd be doing is creating a CA that is inheriting its

certificate chain from the third-party cert. That way as it issues new

certificates, those will be based on the authority and CRLs of the external

CA.

 

You can get the high-level overview at:

http://www.microsoft.com/technet/solutionaccelerators/wssra/raguide/CertificateServices/CrtSevcBP_2.mspx

 

I won't fool you into thinking that this is a simple process or that it will

not take a lot of planning. This is not an uncommon configuration, but it is

usually only used by enterprises and larger organizations. You may need

special certificate types from your provider and they may be able to assist

you with the configuration of this if you've never been through it.

 

I hope this gets you in the right place.

 

 

--

Ryan Hanisco

MCSE, MCTS: SQL 2005, Project+

Chicago, IL

 

Remember: Marking helpful answers helps everyone find the info they need

quickly.

 

 

"Roberto" wrote:

> How do I do that?

>

> Thanks

>

> =====================================================

>

> Hi Roberto:

>

> This is very complex: you need to ask the question again in the Windows

> Server 2003 newsgroup.

>

> Or rather: the explanation is very complex, the "principle" is quite

> simple... :-)

>

> You need to install the Verisign certificate as your Master Certificate.

> You then get each client to delete their existing certificate and go through

> the process of requesting a new certificate.

>

> This time, they will get a "Child" certificate of the Verisign certificate.

> Any outside authentication can then follow the chain of trust all the way

> back to Verisign, and will thus accept and trust your signatures without

> comment...

>

> Cheers

>

> =====================================================

>

> On 20/7/07 6:26 AM, in article

> 82B370D6-744F-457D-9365-66C6034CC03A@microsoft.com, "Roberto"

> <Roberto@Newsgroups.com> wrote:

>

> > We installed win2003 advanced server with exchange 2003 enterprise. Then for

> > the purpose of authenticating the clients with the server and encrypting all

> > emails, we installed also the MICROSOFT certificate authority.

> >

> > The first time any of our email user connects to the server, automatically

> > requests a new certificate (generated by our server) and so far everything

> > works fine. The server generates the certificate which the user installs in

> > his machine and from that moment he can sign his emails with that certificate

> > and later on he can start encrypting his emails.

> >

> > The only thing is that because this certificate was generated by ourselves,

> > when the user sends a signed email the first time, the recipient (from an

> > external domain) has to do some kind of "TRUST THIS ISSUER" process, or

> > something like that on their client.

> >

> > We are being audited specifically on this, and the tests we were running

> > with the auditor about encryption, went fine but at the end he told us that

> > he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately

> > recommended to install a VERISIGN certificate on the server, so subsequent

> > certificates generated by the server will have some kind of additional trust

> > incorporated, so the "TRUST THIS ISSUER" process will not be necessary for

> > the recipients. These are his exact words:

> >

> > "If you want to keep using your server as the certification authority, you

> > should get your server a VERISIGN certificate. This will automatically will

> > make the subsequent certificates generated by your server being "trusted" by

> > everyone."

> >

> > In summary, what we need is:

> > Keep issuing the certificates ourselves (because that what executive

> > management wants) but that somehow has some kind of automatic trust

> > incorporated from our server.... so external clients won't have the "TRUST

> > THIS ISSUER" additional step when they receive and email from us.

> >

> > We purchased today a Verisign Mail Server SSL Certificate and installed it

> > on the default web site on the IIS Manager. The problem with the "TRUST THIS

> > ISSUER" continues....

> >

> > What needs to be done?

>

> --

> Don't wait for your answer, click here: http://www.word.mvps.org/

>

> Please reply in the group. Please do NOT email me unless I ask you to.

>

> John McGhie, Consultant Technical Writer

> McGhie Information Engineering Pty Ltd

> http://jgmcghie.fastmail.com.au/

> Sydney, Australia. S33°53'34.20 E151°14'54.50

> +61 4 1209 1410, mailto:john@mcghie.name

>

> =====================================================

>

 Share
Go to topic listing
×
×
  • Create New...