HelloI read something in 70-293 e-book about certificate server, however i want to deploy a stand-alone certificate server.but i dont know how to configuring detials produced by certificate server.the screenshot is this:http://cid-2a1dc26b0896663f.skydrive.live.com/browse.aspx/certificate%20problemplease explain what is "key useage : exchange & signature", "authomatic key container & user specified container name", "mark key as exportable", "store certificate in local computer certificate store", " request format: CMC & PKCS10" , "Hash algorithm", "friendly name".if possible, explain encryption method for sending email.forexample: user1@live.com want to send email to user2@live.comcan user1@live.com use itself private key or it should use destination private key?persia gulf for ever! hey google! change your behavior! google is inventor!

i will try to explain:1) Key Usage - is key usage :) in other words this determine for what purposes will be used this certificate. If you need to encrypt something - you will need Encryption Key Usage. To sign applications, mails - you will need Signature key usage. Some purposes requires thatcertificate need to have both Encryption and Signature (for example mail signing and encryption).2) Key container. This determine key container in certmgr.msc console. By default these certificates are placed in Personal container.3) Mark key as exportable. This means will be there a way to exportprivate key to a file (for example to backup keys). If key is not marked as exportable, then if you loose your key (for example, after system reinstall, profile changing, etc) you will be unable to use this key. If marked - you can open Certificates console, right-click on certificate and choose "Yes, export private key" and this key will be exported to PFX file. You may move this file to another computer (orafter system reinstall)and install this file. Then you will be able to use this private key.4) store certificate in local computer certificate store. This is necessary for Computers certificates only. (on your screenshot is description).5) CMC and PKCS10 is just request message format. If you use Windows Server CA, you may use any of them.6) Hash algorithm - this is hash algorythm that is used to sign request only. This make protect your request from changing by man-in-middle. Possible values can be: md2/md4/md5/SHA1/and higherabout your example. If your user want to sign his e-mail User1 takes his private key and sign this message. When mail is delivered, User2 takes User1 certificate (for example, from AD) and check signature.if User1 want to encrypt mail message, then he takes User2 certificate (with public key) and encrypt mail with this certificate. When mail is delivered, User2 takes his private key and decrypt this message.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

thank you very much for your guide. is there a way to choosing which algorithm to encrypting emails and transfering it over internet?or encrypting data in local hard disk ? efs? can administrator choose which algorithm to use?persia gulf for ever! hey google! change your behavior! google is inventor!

Yes, but for email it is a bit of a negotiationYou can configure in your client what symmetric algorithm you wish to use.But when you select the recipient's certificate (from a directory), it should contain the SMimeCapabilities extension ( a list of the supported algorithms). The client will choose the highest mutual algorithm if the default is not included in the list.For EFS, it is more of a client version determinant.Windows 2000 used DESX.Windows XP allowed the use of 3DES.After XP SP1, Advanced Encryption Standard (AES) became the default encryption algorithm for EFS.Brian

Yes, but for email it is a bit of a negotiationYou can configure in your client what symmetric algorithm you wish to use.But when you select the recipient's certificate (from a directory), it should contain the SMimeCapabilities extension ( a list of the supported algorithms). The client will choose the highest mutual algorithm if the default is not included in the list.For EFS, it is more of a client version determinant.Windows 2000 used DESX.Windows XP allowed the use of 3DES.After XP SP1, Advanced Encryption Standard (AES) became the default encryption algorithm for EFS.Brian thanks for guides.I checked SIME capabilities extension in certificate file ( .cer ).they are unknown! [1]SMIME Capability Object ID=1.2.840.113549.3.2 Parameters=02 02 00 80 [2]SMIME Capability Object ID=1.2.840.113549.3.4 Parameters=02 02 00 80 [3]SMIME Capability Object ID=1.3.14.3.2.7 [4]SMIME Capability Object ID=1.2.840.113549.3.7how can i understand what these object IDs mean? persia gulf for ever! hey google! change your behavior! google is inventor!

A new question!I want to send an encrypt email from mohsen.farahani.123@live.com to arsham1989@gmail.com by Windows Mail.I used destination public key to sending email by adding arsham1989@gmail.com certificate ( with public key ) in Windows contact.In sent box of Windows mail, i can decrypt the email !!! why? i sent it with the destination public key and i didn't installed arsham1989@gmail.com private key in my local computer ???my examination shown that i can decrypt my sent email with both my own private key ( mohsen.farahani.123@live.com ) & destination private key ( arsham1989@gmail.com )............!!!!!!later, i thought that we can decrypt an sentemail with the destination private key...but now i can decrypt with my own private key ( mohsen.farahani.123@live.com )....!!!!in my email account ( mohsen.farahani.123@live.com ) settings, in security tab, encryption preferences section, i choosed my mohsen.farahani.123@live.com certificate ( this certificatecontains private key ).I think this section need my own certificate ( with private key ) to decrypting arrived emails from my friends...right ?how ? could you explain why i can see ( decrypt ) my sent email to destination?this email encrypted with destination public key...so I must dont see the sent email because i dont have arsham1989@gmail.com private key!!!persia gulf for ever! hey google! change your behavior! google is inventor!

The reason for this is that you received an oversimplied description of how S/MIME works.When you encrypt an email, a symmetric algorithm is used (AES,DES, RC2, 3DES).The symmetric key is encrypted with the public key of *every* recipient of the message (this includes you, the sender of the message)Your copy of the email is kept in your sent items folder.As for your other question, these are all OIDs representing different symmetric encryption algorithms. Google (or Bing) is the wise choice for researching them.Brian