PKI Solution for Windows Environement,

I would like to deploy secure email solution through S/MIME in my organisation.
My organisation is quite large 1000 users, all Windows user with Microsoft Outlook. The question is now, what would be the best solution and why to deploy PKI infrastructure on my environment?
I knew that Windows has a PKI solution and can be deployed at no cost and it is integrated with Windows Active Directory but

 If we have our own PKI,  Can this be trusted by third party person who want to send email to us?
What would be the better option?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ParanormasticCryptographic EngineerCommented:
The technical answer is yes - you can use the microsoft CA to do use internally and externally for PKI related functions.

Whether its a good idea or not - that comes into what your requirements are out of it specifically.  If it was all internal stuff - definately.  You mentioned that you would like external resources to use it - that gets tricky - it basically comes down to whether they would trust your root CA certificate or not.  For general public usage, I would recommend commercial CA certificates as they are more universally accepted as they would already have their root cert installed on most end user boxes.  For b2b use, it is a decent shot that you can work with the other company for them to deploy your root cert via gpo within their enviornment so their employees don't get warning messages when connecting to your resources.  This would also make it so you could distribute your public keys so they could encrypt a message to your employees to decrypt with their private keys.  Usually this would involve doing the same work to replicate their root into your environment as well.

If you do this, make sure to set up one of your CRL distribution points as an externally accessible place - e.g. so it will work as expected.  Also, plan to set up at least a 2 tier PKI with the root being offline - don't join the root to a domain and you will be set to roll out multiple issuing subordinate CA's according to whatever changing needs you have.  The issuing subordinate can be joined to the domain if desired (typcial), or not joined if necessary.  This way you only have to worry about one root certificate - things are much easier this way if you plan for it from the start.
kecoakAuthor Commented:
what do you  mean by commercial CA? as in the CA is like versign? The problem if I use external CA e.g Versigin. How do I integrate this cert to all my workstation in the office?
The root CA certificate is at the top of the hierarchy, and if you choose to trust one, you automatically trust all certs created using that root cert. You can check the Trust Root Certification Authorities in Internet Explorer or the certificates MMC to see which ones are installed by default. Verisign is one of them (sorry for spoiling), so all certificates created by the Verisign root cert are automatically trusted. You will, however, have to deploy the actual S/MIME certificates to the clients by some means, whether by SMS/Tivoli/GPO deployment, login scripts, manual installations or whatnot.
ParanormasticCryptographic EngineerCommented:
Yes, commercial CA = a CA that makes money off of providing PKI services - e.g. Verisign, RapidSSL, Comodo, Thawte, etc.

Using your own PKI, you can distribute your root certificate many ways:
- manually by doubleclicking it and following the wizard
- pushing it via group policy, SMS, etc.
- publishing the root cert and subordinate certs and CRLs on your externally facing website so they can be easily downloaded and installed by 3rd parties, e.g. your users at home, b2b partners, general public so they can trust your pki, regardless whether they get a cert issued to them or not.  usually you just include this process in your documentation for whatever remote access (e.g. vpn, owa, etc.) they are trying to get access to.

Here's a nice walkthrough for installation, you can probably skip the cross-certification related items unless you are trying to do that with a partner company:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.