PKI Solution for Windows Environement,

Posted on 2008-11-09
Last Modified: 2012-05-05
I would like to deploy secure email solution through S/MIME in my organisation.
My organisation is quite large 1000 users, all Windows user with Microsoft Outlook. The question is now, what would be the best solution and why to deploy PKI infrastructure on my environment?
I knew that Windows has a PKI solution and can be deployed at no cost and it is integrated with Windows Active Directory but

 If we have our own PKI,  Can this be trusted by third party person who want to send email to us?
What would be the better option?

Question by:kecoak
    LVL 31

    Expert Comment

    The technical answer is yes - you can use the microsoft CA to do use internally and externally for PKI related functions.

    Whether its a good idea or not - that comes into what your requirements are out of it specifically.  If it was all internal stuff - definately.  You mentioned that you would like external resources to use it - that gets tricky - it basically comes down to whether they would trust your root CA certificate or not.  For general public usage, I would recommend commercial CA certificates as they are more universally accepted as they would already have their root cert installed on most end user boxes.  For b2b use, it is a decent shot that you can work with the other company for them to deploy your root cert via gpo within their enviornment so their employees don't get warning messages when connecting to your resources.  This would also make it so you could distribute your public keys so they could encrypt a message to your employees to decrypt with their private keys.  Usually this would involve doing the same work to replicate their root into your environment as well.

    If you do this, make sure to set up one of your CRL distribution points as an externally accessible place - e.g. so it will work as expected.  Also, plan to set up at least a 2 tier PKI with the root being offline - don't join the root to a domain and you will be set to roll out multiple issuing subordinate CA's according to whatever changing needs you have.  The issuing subordinate can be joined to the domain if desired (typcial), or not joined if necessary.  This way you only have to worry about one root certificate - things are much easier this way if you plan for it from the start.

    Author Comment

    what do you  mean by commercial CA? as in the CA is like versign? The problem if I use external CA e.g Versigin. How do I integrate this cert to all my workstation in the office?
    LVL 19

    Expert Comment

    The root CA certificate is at the top of the hierarchy, and if you choose to trust one, you automatically trust all certs created using that root cert. You can check the Trust Root Certification Authorities in Internet Explorer or the certificates MMC to see which ones are installed by default. Verisign is one of them (sorry for spoiling), so all certificates created by the Verisign root cert are automatically trusted. You will, however, have to deploy the actual S/MIME certificates to the clients by some means, whether by SMS/Tivoli/GPO deployment, login scripts, manual installations or whatnot.
    LVL 31

    Accepted Solution

    Yes, commercial CA = a CA that makes money off of providing PKI services - e.g. Verisign, RapidSSL, Comodo, Thawte, etc.

    Using your own PKI, you can distribute your root certificate many ways:
    - manually by doubleclicking it and following the wizard
    - pushing it via group policy, SMS, etc.
    - publishing the root cert and subordinate certs and CRLs on your externally facing website so they can be easily downloaded and installed by 3rd parties, e.g. your users at home, b2b partners, general public so they can trust your pki, regardless whether they get a cert issued to them or not.  usually you just include this process in your documentation for whatever remote access (e.g. vpn, owa, etc.) they are trying to get access to.

    Here's a nice walkthrough for installation, you can probably skip the cross-certification related items unless you are trying to do that with a partner company:

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Suggested Solutions

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now