Re: Certification Authority
- From: John McGhie <john@xxxxxxxxxxx>
- Date: Tue, 24 Jul 2007 22:31:19 +0930
Yes, you do, and you will get it if you check in with the good folks down
the hall. The Windows Server 2003 party is five doors down on the right,
whee all the noise is coming from... :-)
Try microsoft.public.windows.server.networking group.
Cheers
On 24/7/07 2:04 AM, in article
6E920CD1-27AA-4AD7-97E7-0610853C1963@xxxxxxxxxxxxx, "Roberto"
<Roberto@xxxxxxxxxxxxxx> wrote:
Thanks a lot John, sounds simple enough, but if possible I need information
on how to do that.
Roberto.
"John McGhie" wrote:
Hi Roberto:
This is very complex: you need to ask the question again in the Windows
Server 2003 newsgroup.
Or rather: the explanation is very complex, the "principle" is quite
simple... :-)
You need to install the Verisign certificate as your Master Certificate.
You then get each client to delete their existing certificate and go through
the process of requesting a new certificate.
This time, they will get a "Child" certificate of the Verisign certificate.
Any outside authentication can then follow the chain of trust all the way
back to Verisign, and will thus accept and trust your signatures without
comment...
Cheers
On 20/7/07 6:26 AM, in article
82B370D6-744F-457D-9365-66C6034CC03A@xxxxxxxxxxxxx, "Roberto"
<Roberto@xxxxxxxxxxxxxx> wrote:
We installed win2003 advanced server with exchange 2003 enterprise. Then for
the purpose of authenticating the clients with the server and encrypting all
emails, we installed also the MICROSOFT certificate authority.
The first time any of our email user connects to the server, automatically
requests a new certificate (generated by our server) and so far everything
works fine. The server generates the certificate which the user installs in
his machine and from that moment he can sign his emails with that
certificate
and later on he can start encrypting his emails.
The only thing is that because this certificate was generated by ourselves,
when the user sends a signed email the first time, the recipient (from an
external domain) has to do some kind of "TRUST THIS ISSUER" process, or
something like that on their client.
We are being audited specifically on this, and the tests we were running
with the auditor about encryption, went fine but at the end he told us that
he didn't like the "TRUST THIS ISSUER" thing and therefore he immediately
recommended to install a VERISIGN certificate on the server, so subsequent
certificates generated by the server will have some kind of additional trust
incorporated, so the "TRUST THIS ISSUER" process will not be necessary for
the recipients. These are his exact words:
"If you want to keep using your server as the certification authority, you
should get your server a VERISIGN certificate. This will automatically will
make the subsequent certificates generated by your server being "trusted" by
everyone."
In summary, what we need is:
Keep issuing the certificates ourselves (because that what executive
management wants) but that somehow has some kind of automatic trust
incorporated from our server.... so external clients won't have the "TRUST
THIS ISSUER" additional step when they receive and email from us.
We purchased today a Verisign Mail Server SSL Certificate and installed it
on the default web site on the IIS Manager. The problem with the "TRUST THIS
ISSUER" continues....
What needs to be done?
--
Don't wait for your answer, click here: http://www.word.mvps.org/
Please reply in the group. Please do NOT email me unless I ask you to.
John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:john@xxxxxxxxxxx
--
Don't wait for your answer, click here: http://www.word.mvps.org/
Please reply in the group. Please do NOT email me unless I ask you to.
John McGhie, Consultant Technical Writer
McGhie Information Engineering Pty Ltd
http://jgmcghie.fastmail.com.au/
Sydney, Australia. S33°53'34.20 E151°14'54.50
+61 4 1209 1410, mailto:john@xxxxxxxxxxx
.
- References:
- Re: Certification Authority
- From: John McGhie
- Re: Certification Authority
- From: Roberto
- Re: Certification Authority
- Prev by Date: Re: Canadian English for Microsoft Office for the Mac
- Next by Date: Re: Possible issue when migrating Office to a new system?
- Previous by thread: Re: Certification Authority
- Next by thread: XPS for Mac
- Index(es):
Relevant Pages
|
Loading
