Encrypted Email - Certificates and Exchange / AD
Hi Everyone,I have a group of users who share a generic inbox... they want to "recieve" encrypted emails from another organization. We have the digital certificate...my question is:can I simply "add the certificate" to the generic email address within active directory (there is a certificates tab in AD)... would the generic email addressto recieve emails from this external company (Who have the same certificate)?orwould I be better off purchasing more certificates for these users and installing the certificate within there outlook client? (would this be possible, becausethey would be opening a shared inbox) - I dont want this to affect there individual inboxes / ad / email accounts.any suggestions? (as much info as possible would be great)thanks,Luke.
December 14th, 2009 8:05am

you are saying that your users need to just RECEIVE encrypted email, then your users do not need any certificate of their own for the email exachange. they would just need to validate the certificate which has signed the messages they receive. So no, you will need to make the certificate authority which issued the certificate trusted on all client computers that are used to access the shared mailbox.ondrej.
Free Windows Admin Tool Kit Click here and download it now
December 14th, 2009 1:39pm

you are saying that your users need to just RECEIVE encrypted email, then your users do not need any certificate of their own for the email exachange. they would just need to validate the certificate which has signed the messages they receive. So no, you will need to make the certificate authority which issued the certificate trusted on all client computers that are used to access the shared mailbox.ondrej. This is true if they need to verify a digital signature only. However if they will be recieving encrypted email,theywill need a certificate and a corresponding private key to decrypt the mail contents.Luke please describe your situation thouroghly, e.g.1) How manysenders there are (from yourdescription I assume one)2) How many recipients there are (from yourdescription I assume many)3) How many recipients addresses there are (from yourdescription I assumeone)4) Will be the emailsigned and encrypted, or signed only or encrypted only(from your descriptionI assume signed and encrypted)RegardsMartin Rublik
December 14th, 2009 5:59pm

Hi Guys,Thank you for the reply.As far as I know there will be one "email address" sending the email (however there might be three or four people that use that email account)there will be three recipients all sharing the same inbox / email address (that units generic email address) - there is only one addressthe emails will be signed and encrypted.the people "Sending" the email - have already purchased a "public certificate" to use for the purpose of email encryption, we are able to also orderthe same certificate if necessary.should they just install the certificate within outlook? or would it be better to upload this certificate into AD for that specific generic user accountany advise would be appreciatedkind regards,Luke.
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2009 4:07am

Hi, as I wrote earlier in order to decrypt an email you need certificate and corresponding private key. So if you purchase a "public certificate" make sure that it will be exportable. Then you can import this certificate and corrsponding private key into certificate store.Publishingcertificate intoAD will not help.So in general the workflow could look like this:1) Request a certificate, make sure that it will be exportable,2) Install a certificate on a machine (the same machine from where you have made a certificate request),3) Export the certificate and private key, make sure you protect the private key with strong password (http://technet.microsoft.com/en-us/library/cc737187(WS.10).aspx), you probably do not need a strong private key protection, also you should not delete the private key.4) Import the certificate and private key into other users certificate store.HTH Martin
December 17th, 2009 11:13am

to encrypt, each of the users needs the certificate plus private key. Altough the certificate can be stored elsewhere (such as the AD), the private key will have to be stored on each workstation where the users are using outlook to encrypt the email.ondrej.
Free Windows Admin Tool Kit Click here and download it now
December 17th, 2009 11:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics