PKI Solution for Windows Environement,

Posted on 2008-11-09
Medium Priority
Last Modified: 2012-05-05
I would like to deploy secure email solution through S/MIME in my organisation.
My organisation is quite large 1000 users, all Windows user with Microsoft Outlook. The question is now, what would be the best solution and why to deploy PKI infrastructure on my environment?
I knew that Windows has a PKI solution and can be deployed at no cost and it is integrated with Windows Active Directory but

 If we have our own PKI,  Can this be trusted by third party person who want to send email to us?
What would be the better option?

Question by:kecoak
  • 2
LVL 31

Expert Comment

ID: 22922269
The technical answer is yes - you can use the microsoft CA to do use internally and externally for PKI related functions.

Whether its a good idea or not - that comes into what your requirements are out of it specifically.  If it was all internal stuff - definately.  You mentioned that you would like external resources to use it - that gets tricky - it basically comes down to whether they would trust your root CA certificate or not.  For general public usage, I would recommend commercial CA certificates as they are more universally accepted as they would already have their root cert installed on most end user boxes.  For b2b use, it is a decent shot that you can work with the other company for them to deploy your root cert via gpo within their enviornment so their employees don't get warning messages when connecting to your resources.  This would also make it so you could distribute your public keys so they could encrypt a message to your employees to decrypt with their private keys.  Usually this would involve doing the same work to replicate their root into your environment as well.

If you do this, make sure to set up one of your CRL distribution points as an externally accessible place - e.g. www.yourwebsite.com/pki/ so it will work as expected.  Also, plan to set up at least a 2 tier PKI with the root being offline - don't join the root to a domain and you will be set to roll out multiple issuing subordinate CA's according to whatever changing needs you have.  The issuing subordinate can be joined to the domain if desired (typcial), or not joined if necessary.  This way you only have to worry about one root certificate - things are much easier this way if you plan for it from the start.

Author Comment

ID: 22927170
what do you  mean by commercial CA? as in the CA is like versign? The problem if I use external CA e.g Versigin. How do I integrate this cert to all my workstation in the office?
LVL 19

Expert Comment

ID: 22929735
The root CA certificate is at the top of the hierarchy, and if you choose to trust one, you automatically trust all certs created using that root cert. You can check the Trust Root Certification Authorities in Internet Explorer or the certificates MMC to see which ones are installed by default. Verisign is one of them (sorry for spoiling), so all certificates created by the Verisign root cert are automatically trusted. You will, however, have to deploy the actual S/MIME certificates to the clients by some means, whether by SMS/Tivoli/GPO deployment, login scripts, manual installations or whatnot.
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 22942164
Yes, commercial CA = a CA that makes money off of providing PKI services - e.g. Verisign, RapidSSL, Comodo, Thawte, etc.

Using your own PKI, you can distribute your root certificate many ways:
- manually by doubleclicking it and following the wizard
- pushing it via group policy, SMS, etc.
- publishing the root cert and subordinate certs and CRLs on your externally facing website so they can be easily downloaded and installed by 3rd parties, e.g. your users at home, b2b partners, general public so they can trust your pki, regardless whether they get a cert issued to them or not.  usually you just include this process in your documentation for whatever remote access (e.g. vpn, owa, etc.) they are trying to get access to.

Here's a nice walkthrough for installation, you can probably skip the cross-certification related items unless you are trying to do that with a partner company:

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question