S/MIME and certificate

New to Exchange2010 .Have a question regarding the encryption.
We have EXchange2010 and the CAS server and it has ssl SAN installed.
If we want to enable S/MIME at end users outlook.
Do we have to install third-rate trusted certificate?
or
We will be ok with internal CA and install the certificate to users via AD?
LVL 2
sara2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Carol ChisholmCommented:
SAN for connection encryption and S/MIME are two different things.
However in general you now should always go with a third party certificate from a reliable provider.

Self signed certificates really are not a good idea unless you have a fully published PKI, and if you had that you would not be asking the question.

https://technet.microsoft.com/en-us/library/bb738140(v=exchg.141).aspx

https://social.technet.microsoft.com/Forums/en-US/b8440ebc-4a86-4ff7-be22-1277a8a06a05/smime?forum=exchange2010
0
sara2000Author Commented:
Carol,
Thank you for your reply.
I am having problem of understanding this ssl and S/Mime.
Hope you will put me in the correct direction.
i noticed that one SAN certificate has been installed on all four CAS servers(may be export or copy)
When you say third party from a trusted source, Say for an example we have 100 outlook clients.
we able to install one certificate at all 100 users computers like the CAS servers?
0
Carol ChisholmCommented:
You need to read the links.
You have Outlook Anywhere, OWA, ActiveSync.
Each one uses SSL and S/MIME in a different way.
SSL encrypts the communication between the client and the server.
S/MIME allows you to encrypt the individual messages.

If you just wan to encrypt your connections between client and server, you need one third party SAN cert on the server, and nothing on the clients because they can find the certificate authority on the Internet.

If you want the client to be able to encrypt the mail as well as the connection, then you have to have a certificate that the client can use to encrypt the message, and the recipient has to be able to access the certificate to decrypt the message.
This is much harder to do.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.