kjman
asked on
sending encrypted emails
Hi all
I have isntalled and configured my own CA on my windows 2003 server and domain. I am also running exchange 2003. I can send encrypted and digitally signed emails to anyone in my own domain, I can also send digitally signed emails to all other recipietns outside my domain, but i cannot encrypt these emails. When i digitally sign an email, and send it to someone@domainame.com, the recipient adds me (the sender) as one of there contacts. Once they do this my certificate is in the Trusted Root Certificate authorites for the CA and my personal cert is in the trusted People on the recipients local machine. This all looks good to me. Do I also need to publish my companys public CA as well?
Thanks for any help.
skip
I have isntalled and configured my own CA on my windows 2003 server and domain. I am also running exchange 2003. I can send encrypted and digitally signed emails to anyone in my own domain, I can also send digitally signed emails to all other recipietns outside my domain, but i cannot encrypt these emails. When i digitally sign an email, and send it to someone@domainame.com, the recipient adds me (the sender) as one of there contacts. Once they do this my certificate is in the Trusted Root Certificate authorites for the CA and my personal cert is in the trusted People on the recipients local machine. This all looks good to me. Do I also need to publish my companys public CA as well?
Thanks for any help.
skip
For decrypting emails, you need a private key as well as a public key. If you send encrypted emails to recipients outside your scope of you public key, the recipient needs access to your public key. This is usually done by a provider, you stores a public key for all receipients outside your domain. That means, you have to buy a public key from one of the providers (like verisign etc.). Another option is, if this is only for point to point encryption, that your public key is also hosted and pouplated on a CA on the other side of your communication (receipient system).
ASKER
Ok so this wont work because the recipient has no way of trusting my companys CA, or is because the recipient has no way of getting to my companys public CA?
If it is the latter can i publish my companys CA? i.e https:\\domainame.com\certsrv would this allow the recipient to download my companys public certificate?
Thansk again
Skip
If it is the latter can i publish my companys CA? i.e https:\\domainame.com\certsrv would this allow the recipient to download my companys public certificate?
Thansk again
Skip
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
To Encrypt an email, you download the end-user's public key and then the end-user uses their private key to decrypt it.
Likewise, to Digitally Sign an email, you use your private key and then the end user uses your public key to verify that you were the one who sent the email.
Realizing that 1) your CA is not visible to external users, and 2) your CA is not trusted by external users, you can see the problem here.
Thanks,
David