R
Roberto
How do I do that?
Thanks
=====================================================
Hi Roberto:
This is very complex: you need to ask the question again in the Windows
Server 2003 newsgroup.
Or rather: the explanation is very complex, the "principle" is quite
simple...
You need to install the Verisign certificate as your Master Certificate.
You then get each client to delete their existing certificate and go through
the process of requesting a new certificate.
This time, they will get a "Child" certificate of the Verisign certificate.
Any outside authentication can then follow the chain of trust all the way
back to Verisign, and will thus accept and trust your signatures without
comment...
Cheers
=====================================================
On 20/7/07 6:26 AM, in article
82B370D6-744F-457D-9365-66C6034CC03A@microsoft.com, "Roberto"
<Roberto@Newsgroups.com> wrote:
> We installed win2003 advanced server with exchange 2003 enterprise. Then for
> the purpose of authenticating the clients with the server and encrypting all
> emails, we installed also the MICROSOFT certificate authority.
>
> The first time any of our email user connects to the server, automatically
> requests a new certificate (generated by our server) and so far everything
> works fine. The server generates the certificate which the user installs in
> his machine and from that moment he can sign his emails with that certificate
> and later on he can start encrypting his emails.
>
> The only thing is that because this certificate was generated by ourselves,
> when the user sends a signed email the first time, the recipient (from an
> external domain) has to do some kind of "TRUST THIS ISSUER" process, or
> something like that on their client.
>
> We are being audited specifically on this, and the tests we were running
> with the auditor about encryption, went fine but at the end he told us that
> he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
> recommended to install a VERISIGN certificate on the server, so subsequent
> certificates generated by the server will have some kind of additional trust
> incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
> the recipients. These are his exact words:
>
> "If you want to keep using your server as the certification authority, you
> should get your server a VERISIGN certificate. This will automatically will
> make the subsequent certificates generated by your server being "trusted" by
> everyone."
>
> In summary, what we need is:
> Keep issuing the certificates ourselves (because that what executive
> management wants) but that somehow has some kind of automatic trust
> incorporated from our server.... so external clients won't have the "TRUST
> THIS ISSUER" additional step when they receive and email from us.
>
> We purchased today a Verisign Mail Server SSL Certificate and installed it
> on the default web site on the IIS Manager. The problem with the "TRUST THIS
> ISSUER" continues....
>
> What needs to be done?
--
Don't wait for your answer, click here: http://www.word.mvps.org/
Please reply in the group. Please do NOT email me unless I ask you to.
John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:john@mcghie.name
=====================================================
Thanks
=====================================================
Hi Roberto:
This is very complex: you need to ask the question again in the Windows
Server 2003 newsgroup.
Or rather: the explanation is very complex, the "principle" is quite
simple...
You need to install the Verisign certificate as your Master Certificate.
You then get each client to delete their existing certificate and go through
the process of requesting a new certificate.
This time, they will get a "Child" certificate of the Verisign certificate.
Any outside authentication can then follow the chain of trust all the way
back to Verisign, and will thus accept and trust your signatures without
comment...
Cheers
=====================================================
On 20/7/07 6:26 AM, in article
82B370D6-744F-457D-9365-66C6034CC03A@microsoft.com, "Roberto"
<Roberto@Newsgroups.com> wrote:
> We installed win2003 advanced server with exchange 2003 enterprise. Then for
> the purpose of authenticating the clients with the server and encrypting all
> emails, we installed also the MICROSOFT certificate authority.
>
> The first time any of our email user connects to the server, automatically
> requests a new certificate (generated by our server) and so far everything
> works fine. The server generates the certificate which the user installs in
> his machine and from that moment he can sign his emails with that certificate
> and later on he can start encrypting his emails.
>
> The only thing is that because this certificate was generated by ourselves,
> when the user sends a signed email the first time, the recipient (from an
> external domain) has to do some kind of "TRUST THIS ISSUER" process, or
> something like that on their client.
>
> We are being audited specifically on this, and the tests we were running
> with the auditor about encryption, went fine but at the end he told us that
> he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
> recommended to install a VERISIGN certificate on the server, so subsequent
> certificates generated by the server will have some kind of additional trust
> incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
> the recipients. These are his exact words:
>
> "If you want to keep using your server as the certification authority, you
> should get your server a VERISIGN certificate. This will automatically will
> make the subsequent certificates generated by your server being "trusted" by
> everyone."
>
> In summary, what we need is:
> Keep issuing the certificates ourselves (because that what executive
> management wants) but that somehow has some kind of automatic trust
> incorporated from our server.... so external clients won't have the "TRUST
> THIS ISSUER" additional step when they receive and email from us.
>
> We purchased today a Verisign Mail Server SSL Certificate and installed it
> on the default web site on the IIS Manager. The problem with the "TRUST THIS
> ISSUER" continues....
>
> What needs to be done?
--
Don't wait for your answer, click here: http://www.word.mvps.org/
Please reply in the group. Please do NOT email me unless I ask you to.
John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:john@mcghie.name
=====================================================