Encryption and Digital ID outside of Domain with a Windows CA

Posted on 2006-05-31
Last Modified: 2010-04-11
I am running a Windows 2003 CA server with issued certificates for Encryption and Digital ID for Outlook. I don't have any problems using it internally within the domain. I want to expand the use outside of our organization. What needs to be done to make this happen? Do we need to send our certificates or the clients certificate to the recipient so they can receive the encrypted email? Or do I need to have there certficate for me to send them an encrypted email? Also what is a certificate chain and CRL? Any help pls

Question by:FSYR
    LVL 3

    Expert Comment


    To be able to send/receive signed and encrypted emails with external entities, the users must first exchange their public keys. To do this, instruct your user(s) to send a digitally signed (but not encrypted) message to the recipient and to request a digitally signed email from the recipient. Once the key exchange has taken place, they should then be able to send/receive encrypted mail.

    The reason: a message is signed using the sender's private key, with the public key and certificate chain encapsulated in the message. A message is encrypted using the recipients public key.

    What is a Certificate Chain: information on the hierarchy/sequence of CA's (issuing, Root) as well as the base cert.  

    CRL: Certificate Revocation List - a list of certificate that have been revoked. So, if an employee's laptop is stolen, you can revoke the certificate so that employee can not be impersonated.

    When exchange email with external entities, making a CRL available to the outside is important so the validity of your certs can be verified.


    Designing a PKI (

    PKI Best Practices (
    LVL 1

    Author Comment

    So if external entities have no publics keys or certificates on their end we cannot send them encrypted information. Correct? But we can send them our digital ID and they can send us encrypted information using our keys.

    Is it possible to send all our public keys to one organization in one list or better to do individual? Or is that not a good practice?

    Also how would digital ids work with like hotmail and yahoo accounts? Is it the same as using outlook?

    LVL 3

    Accepted Solution

    Excuse the delay in responding.

    To answer your first question: correct. both parties require key pairs to send and receive signed/encipered messages.

    RE: sending all public keys to external org. Probably best to train users in key exchange and have them exchange with intended recipient.

    No, digital certificates are not compatible with hotmail, yahoo, etc. However, you can make them available to users of OWA (

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now