Email Encryption

1. Can OWA client do email encryption if Ms Cert Services is installed as Standalone CA?
2. Can Ms Enterprise CA 'serve' for non logon to domain users?
3. I found may articel stated that to run Enterprise CA, we must run it on Windows Enterprise 2003 Server
Is taht true.
4. How do I setup email encryption to serve my Exachange resource forest infra. I now how to setup the CA. I just want to know whether I have To setup the enterprise CA for both forest or just at the forest that hold the excahnge server ?
aihaiaiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ZanemwestCommented:
1. OWA probably wont be able to encrypt as this is usually a outlook function to turn it on or off and the certificate is issued to the workstation.
2 should be able to, you would just have to manually issue the certificates as apposed to being able to do it automatically as part of the GPO.
3 i think the article is correct in saying enterprise CA needs to run on enterprise edition, if implementing a PKI which is really what it is intended for it becomes the lifeblood of your AD as properly done it is used to encrypt traffic to everywhere, for all purposes.
4.You can have a single CA just issue certificates to the other domain, it will show issued by from one forest and issue to from another, there does need to be a forest trust even if just at the root level, which i think would be transitive, so the route domain of each forest is aware of all domains in the other forests.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
aihaiaiAuthor Commented:
2. When you said manually issue, is that mean the certificate request process will be initiate by user e.g. user will come to the http://servername/certsrv and follow the instruction to request the certificate? I don't think for non logon to domain users, they can use the MMC to request certificate since they don't found the AD. Is that correct?
Another thing, if the non logon to domain users request the cert from enterprise ca via web, I found that at the personal folder certificate content, the cert was issued to something like servername_IISUSR. Can this cert be use since i dont see how the cert is 'tie' to the user or email. unlike for stand alone ca, when user request for the cert via web, they have to key some info including email address. it look make sense. OR
My new question: Is there any way that administrator can issue the certificate? (regardless whether implementing the stand alone or enterprise CA) something like the third party CA do when I purchase SSL cert for use with my website. They directly give me the .cer file. (I'm not sure the third party can issue the  cert.cer file directly to the 'personal id' user via email or other method such as thumbdrive or diskette.) So far the third party is also using the webenrollment for the 'personal id ,request.
Another thing, for stand alone CA , if the user format thier PC, without having copy of thecert, how can administrator isuue the certifiacte back to the user? or there is no alternative, user need to request the cert again using web.(This question will revert back whether administrator can issue the certificate directly to the user)
0
aihaiaiAuthor Commented:
As an administrator, how do i keep copy of my user certificate that was issued? Is that depends on the whether it is standalone or ent CA. e.g. ent CA can do it  but not  for stand alone ca? I can't see how can I do it via the certificate authority mmc. I can only see, the issued certificate can be exported to binary data etc..OR I'm going going to the wrong way now...
0
purplepomegraniteCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
DELETE: refund

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

purplepomegranite: Experts Exchange Cleanup Volunteer
0
purplepomegraniteCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
ACCEPT: Zanemwest {20795233}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

purplepomegranite: Experts Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.