Encryption and Digital ID outside of Domain with a Windows CA

Posted on 2006-05-31
Medium Priority
Last Modified: 2010-04-11
I am running a Windows 2003 CA server with issued certificates for Encryption and Digital ID for Outlook. I don't have any problems using it internally within the domain. I want to expand the use outside of our organization. What needs to be done to make this happen? Do we need to send our certificates or the clients certificate to the recipient so they can receive the encrypted email? Or do I need to have there certficate for me to send them an encrypted email? Also what is a certificate chain and CRL? Any help pls

Question by:FSYR
  • 2

Expert Comment

ID: 16803394

To be able to send/receive signed and encrypted emails with external entities, the users must first exchange their public keys. To do this, instruct your user(s) to send a digitally signed (but not encrypted) message to the recipient and to request a digitally signed email from the recipient. Once the key exchange has taken place, they should then be able to send/receive encrypted mail.

The reason: a message is signed using the sender's private key, with the public key and certificate chain encapsulated in the message. A message is encrypted using the recipients public key.

What is a Certificate Chain: information on the hierarchy/sequence of CA's (issuing, Root) as well as the base cert.  

CRL: Certificate Revocation List - a list of certificate that have been revoked. So, if an employee's laptop is stolen, you can revoke the certificate so that employee can not be impersonated.

When exchange email with external entities, making a CRL available to the outside is important so the validity of your certs can be verified.


Designing a PKI (http://technet2.microsoft.com/WindowsServer/en/Library/b1ee9920-d7ef-4ce5-b63c-3661c72e0f0b1033.mspx?mfr=true)

PKI Best Practices (http://technet2.microsoft.com/WindowsServer/en/Library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true)

Author Comment

ID: 16806870
So if external entities have no publics keys or certificates on their end we cannot send them encrypted information. Correct? But we can send them our digital ID and they can send us encrypted information using our keys.

Is it possible to send all our public keys to one organization in one list or better to do individual? Or is that not a good practice?

Also how would digital ids work with like hotmail and yahoo accounts? Is it the same as using outlook?


Accepted Solution

tnapolitano earned 2000 total points
ID: 16826073
Excuse the delay in responding.

To answer your first question: correct. both parties require key pairs to send and receive signed/encipered messages.

RE: sending all public keys to external org. Probably best to train users in key exchange and have them exchange with intended recipient.

No, digital certificates are not compatible with hotmail, yahoo, etc. However, you can make them available to users of OWA (http://www.microsoft.com/technet/prodtechnol/exchange/guides/E2k3MsgSecGuide/9193c63d-b9f0-4709-a23d-9233a09f72c5.mspx?mfr=true

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Considering today’s continual security threats, which affect Information technology networks and systems worldwide, it is very important to practice basic security awareness. A normal system user can secure himself or herself by following these simp…
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question