Certificate Authority

R

Roberto

How do I do that?

Thanks

=====================================================

Hi Roberto:

This is very complex: you need to ask the question again in the Windows
Server 2003 newsgroup.

Or rather: the explanation is very complex, the "principle" is quite
simple... :)

You need to install the Verisign certificate as your Master Certificate.
You then get each client to delete their existing certificate and go through
the process of requesting a new certificate.

This time, they will get a "Child" certificate of the Verisign certificate.
Any outside authentication can then follow the chain of trust all the way
back to Verisign, and will thus accept and trust your signatures without
comment...

Cheers

=====================================================

On 20/7/07 6:26 AM, in article
82B370D6-744F-457D-9365-66C6034CC03A@microsoft.com, "Roberto"
<Roberto@Newsgroups.com> wrote:

> We installed win2003 advanced server with exchange 2003 enterprise. Then for
> the purpose of authenticating the clients with the server and encrypting all
> emails, we installed also the MICROSOFT certificate authority.
>
> The first time any of our email user connects to the server, automatically
> requests a new certificate (generated by our server) and so far everything
> works fine. The server generates the certificate which the user installs in
> his machine and from that moment he can sign his emails with that certificate
> and later on he can start encrypting his emails.
>
> The only thing is that because this certificate was generated by ourselves,
> when the user sends a signed email the first time, the recipient (from an
> external domain) has to do some kind of "TRUST THIS ISSUER" process, or
> something like that on their client.
>
> We are being audited specifically on this, and the tests we were running
> with the auditor about encryption, went fine but at the end he told us that
> he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
> recommended to install a VERISIGN certificate on the server, so subsequent
> certificates generated by the server will have some kind of additional trust
> incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
> the recipients. These are his exact words:
>
> "If you want to keep using your server as the certification authority, you
> should get your server a VERISIGN certificate. This will automatically will
> make the subsequent certificates generated by your server being "trusted" by
> everyone."
>
> In summary, what we need is:
> Keep issuing the certificates ourselves (because that what executive
> management wants) but that somehow has some kind of automatic trust
> incorporated from our server.... so external clients won't have the "TRUST
> THIS ISSUER" additional step when they receive and email from us.
>
> We purchased today a Verisign Mail Server SSL Certificate and installed it
> on the default web site on the IIS Manager. The problem with the "TRUST THIS
> ISSUER" continues....
>
> What needs to be done?


--
Don't wait for your answer, click here: http://www.word.mvps.org/

Please reply in the group. Please do NOT email me unless I ask you to.

John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:john@mcghie.name

=====================================================
 
R

Ryan Hanisco

Hello Roberto,

Essentially what you'd be doing is creating a CA that is inheriting its
certificate chain from the third-party cert. That way as it issues new
certificates, those will be based on the authority and CRLs of the external
CA.

You can get the high-level overview at:
http://www.microsoft.com/technet/so.../raguide/CertificateServices/CrtSevcBP_2.mspx

I won't fool you into thinking that this is a simple process or that it will
not take a lot of planning. This is not an uncommon configuration, but it is
usually only used by enterprises and larger organizations. You may need
special certificate types from your provider and they may be able to assist
you with the configuration of this if you've never been through it.

I hope this gets you in the right place.


--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Project+
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Roberto" wrote:

> How do I do that?
>
> Thanks
>
> =====================================================
>
> Hi Roberto:
>
> This is very complex: you need to ask the question again in the Windows
> Server 2003 newsgroup.
>
> Or rather: the explanation is very complex, the "principle" is quite
> simple... :)
>
> You need to install the Verisign certificate as your Master Certificate.
> You then get each client to delete their existing certificate and go through
> the process of requesting a new certificate.
>
> This time, they will get a "Child" certificate of the Verisign certificate.
> Any outside authentication can then follow the chain of trust all the way
> back to Verisign, and will thus accept and trust your signatures without
> comment...
>
> Cheers
>
> =====================================================
>
> On 20/7/07 6:26 AM, in article
> 82B370D6-744F-457D-9365-66C6034CC03A@microsoft.com, "Roberto"
> <Roberto@Newsgroups.com> wrote:
>
> > We installed win2003 advanced server with exchange 2003 enterprise. Then for
> > the purpose of authenticating the clients with the server and encrypting all
> > emails, we installed also the MICROSOFT certificate authority.
> >
> > The first time any of our email user connects to the server, automatically
> > requests a new certificate (generated by our server) and so far everything
> > works fine. The server generates the certificate which the user installs in
> > his machine and from that moment he can sign his emails with that certificate
> > and later on he can start encrypting his emails.
> >
> > The only thing is that because this certificate was generated by ourselves,
> > when the user sends a signed email the first time, the recipient (from an
> > external domain) has to do some kind of "TRUST THIS ISSUER" process, or
> > something like that on their client.
> >
> > We are being audited specifically on this, and the tests we were running
> > with the auditor about encryption, went fine but at the end he told us that
> > he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
> > recommended to install a VERISIGN certificate on the server, so subsequent
> > certificates generated by the server will have some kind of additional trust
> > incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
> > the recipients. These are his exact words:
> >
> > "If you want to keep using your server as the certification authority, you
> > should get your server a VERISIGN certificate. This will automatically will
> > make the subsequent certificates generated by your server being "trusted" by
> > everyone."
> >
> > In summary, what we need is:
> > Keep issuing the certificates ourselves (because that what executive
> > management wants) but that somehow has some kind of automatic trust
> > incorporated from our server.... so external clients won't have the "TRUST
> > THIS ISSUER" additional step when they receive and email from us.
> >
> > We purchased today a Verisign Mail Server SSL Certificate and installed it
> > on the default web site on the IIS Manager. The problem with the "TRUST THIS
> > ISSUER" continues....
> >
> > What needs to be done?

>
> --
> Don't wait for your answer, click here: http://www.word.mvps.org/
>
> Please reply in the group. Please do NOT email me unless I ask you to.
>
> John McGhie, Consultant Technical Writer
> McGhie Information Engineering Pty Ltd
> http://jgmcghie.fastmail.com.au/
> Sydney, Australia. S33°53'34.20 E151°14'54.50
> +61 4 1209 1410, mailto:john@mcghie.name
>
> =====================================================
>
 
Back
Top Bottom