kecoak
asked on
PKI Solution for Windows Environement,
I would like to deploy secure email solution through S/MIME in my organisation.
My organisation is quite large 1000 users, all Windows user with Microsoft Outlook. The question is now, what would be the best solution and why to deploy PKI infrastructure on my environment?
I knew that Windows has a PKI solution and can be deployed at no cost and it is integrated with Windows Active Directory but
If we have our own PKI, Can this be trusted by third party person who want to send email to us?
What would be the better option?
My organisation is quite large 1000 users, all Windows user with Microsoft Outlook. The question is now, what would be the best solution and why to deploy PKI infrastructure on my environment?
I knew that Windows has a PKI solution and can be deployed at no cost and it is integrated with Windows Active Directory but
If we have our own PKI, Can this be trusted by third party person who want to send email to us?
What would be the better option?
ASKER
what do you mean by commercial CA? as in the CA is like versign? The problem if I use external CA e.g Versigin. How do I integrate this cert to all my workstation in the office?
The root CA certificate is at the top of the hierarchy, and if you choose to trust one, you automatically trust all certs created using that root cert. You can check the Trust Root Certification Authorities in Internet Explorer or the certificates MMC to see which ones are installed by default. Verisign is one of them (sorry for spoiling), so all certificates created by the Verisign root cert are automatically trusted. You will, however, have to deploy the actual S/MIME certificates to the clients by some means, whether by SMS/Tivoli/GPO deployment, login scripts, manual installations or whatnot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Whether its a good idea or not - that comes into what your requirements are out of it specifically. If it was all internal stuff - definately. You mentioned that you would like external resources to use it - that gets tricky - it basically comes down to whether they would trust your root CA certificate or not. For general public usage, I would recommend commercial CA certificates as they are more universally accepted as they would already have their root cert installed on most end user boxes. For b2b use, it is a decent shot that you can work with the other company for them to deploy your root cert via gpo within their enviornment so their employees don't get warning messages when connecting to your resources. This would also make it so you could distribute your public keys so they could encrypt a message to your employees to decrypt with their private keys. Usually this would involve doing the same work to replicate their root into your environment as well.
If you do this, make sure to set up one of your CRL distribution points as an externally accessible place - e.g. www.yourwebsite.com/pki/ so it will work as expected. Also, plan to set up at least a 2 tier PKI with the root being offline - don't join the root to a domain and you will be set to roll out multiple issuing subordinate CA's according to whatever changing needs you have. The issuing subordinate can be joined to the domain if desired (typcial), or not joined if necessary. This way you only have to worry about one root certificate - things are much easier this way if you plan for it from the start.