Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

sending encrypted emails

Posted on 2004-04-12
4
Medium Priority
?
410 Views
Last Modified: 2010-03-05
Hi all

I have isntalled and configured my own CA on my windows 2003 server and domain. I am also running exchange 2003. I can send encrypted and digitally signed emails to anyone in my own domain, I can also send digitally signed emails to all other recipietns outside my domain, but i cannot encrypt these  emails. When i digitally sign an email, and send it to someone@domainame.com, the recipient adds me (the sender) as one of there contacts. Once they do this my certificate is in the Trusted Root Certificate authorites for the CA and my personal cert is in the trusted People on the recipients local machine. This all looks good to me. Do I also need to publish my companys public CA as well?

Thanks for any help.

skip
0
Comment
Question by:kjman
  • 2
4 Comments
 
LVL 10

Expert Comment

by:dstoker509
ID: 10805622
You cannot send an encrypted email to an external user if you use your own CA to encrypt the email.  You must use a 3rd party CA such as Verisign.

To Encrypt an email, you download the end-user's public key and then the end-user uses their private key to decrypt it.
Likewise, to Digitally Sign an email, you use your private key and then the end user uses your public key to verify that you were the one who sent the email.

Realizing that 1) your CA is not visible to external users, and 2) your CA is not trusted by external users, you can see the problem here.

Thanks,

David
0
 
LVL 35

Expert Comment

by:Bembi
ID: 10805625
For decrypting emails, you need a private key as well as a public key. If you send encrypted emails to recipients outside your scope of you public key, the recipient needs access to your public key. This is usually done by a provider, you stores a public key for all receipients outside your domain. That means, you have to buy a public key from one of the providers (like verisign etc.). Another option is, if this is only for point to point encryption, that your public key is also hosted and pouplated on a CA on the other side of your communication (receipient system).
0
 

Author Comment

by:kjman
ID: 10805733
Ok so this wont work because the recipient has no way of trusting my companys CA, or is because the recipient has no way of getting to my companys public CA?

If it is the latter can i publish my companys CA? i.e https:\\domainame.com\certsrv would this allow the recipient to download my companys public certificate?

Thansk again
Skip
0
 
LVL 35

Accepted Solution

by:
Bembi earned 1500 total points
ID: 10806148
> Ok so this wont work because...
Yes

>.. can i publish my companys CA?
ÜRG..., the point is, that the receipient has to trust your CA, and this is what usually not happend. As a public certificate is something like an certified identification of your server, publishing your own CA is something like printing your own identity card. As the most common Root-Authorities are already on your machin as trusted CAs, only clients which have accepted your CA as trusted authority would be able to decrypt your mails. As no administrator will really do that, as he would have to add a few thousand companies, which would publish their own Root-CAs and he would have additionally to proof all of them, this is not a realy reliable way.

If the sense of this is, to encrypt mails only between two or a few companies, you can export your Root-CA certificate and the other company can import and publish it and vice versa. To do this with a lot of companies, I would say, hard work and not really a solution.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If something goes wrong with Exchange, your IT resources are in trouble.All Exchange server migration processes are not designed to be identical and though migrating email from on-premises Exchange mailbox to Cloud’s Office 365 is relatively simple…
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question