• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 375
  • Last Modified:

Encryption and Digital ID outside of Domain with a Windows CA

I am running a Windows 2003 CA server with issued certificates for Encryption and Digital ID for Outlook. I don't have any problems using it internally within the domain. I want to expand the use outside of our organization. What needs to be done to make this happen? Do we need to send our certificates or the clients certificate to the recipient so they can receive the encrypted email? Or do I need to have there certficate for me to send them an encrypted email? Also what is a certificate chain and CRL? Any help pls

MG
0
FSYR
Asked:
FSYR
  • 2
1 Solution
 
tnapolitanoCommented:

To be able to send/receive signed and encrypted emails with external entities, the users must first exchange their public keys. To do this, instruct your user(s) to send a digitally signed (but not encrypted) message to the recipient and to request a digitally signed email from the recipient. Once the key exchange has taken place, they should then be able to send/receive encrypted mail.

The reason: a message is signed using the sender's private key, with the public key and certificate chain encapsulated in the message. A message is encrypted using the recipients public key.

What is a Certificate Chain: information on the hierarchy/sequence of CA's (issuing, Root) as well as the base cert.  

CRL: Certificate Revocation List - a list of certificate that have been revoked. So, if an employee's laptop is stolen, you can revoke the certificate so that employee can not be impersonated.

When exchange email with external entities, making a CRL available to the outside is important so the validity of your certs can be verified.

Links:

Designing a PKI (http://technet2.microsoft.com/WindowsServer/en/Library/b1ee9920-d7ef-4ce5-b63c-3661c72e0f0b1033.mspx?mfr=true)

PKI Best Practices (http://technet2.microsoft.com/WindowsServer/en/Library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true)
0
 
FSYRDirector of ITAuthor Commented:
So if external entities have no publics keys or certificates on their end we cannot send them encrypted information. Correct? But we can send them our digital ID and they can send us encrypted information using our keys.

Is it possible to send all our public keys to one organization in one list or better to do individual? Or is that not a good practice?

Also how would digital ids work with like hotmail and yahoo accounts? Is it the same as using outlook?

MG
0
 
tnapolitanoCommented:
Excuse the delay in responding.

To answer your first question: correct. both parties require key pairs to send and receive signed/encipered messages.

RE: sending all public keys to external org. Probably best to train users in key exchange and have them exchange with intended recipient.

No, digital certificates are not compatible with hotmail, yahoo, etc. However, you can make them available to users of OWA (http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecGuide/9193c63d-b9f0-4709-a23d-9233a09f72c5.mspx?mfr=true
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now