Wednesday, November 21, 2012 3:19 PM
I would like to ask some questions regarding managing user and webserver certificates and key pairs that are issued from a trusted third party certification authority. If a PKI infrastructure using an enterprise CA was deployed in the organization, we could issue/revoke/archive/backup certificates and be able to use the CA database for recovery. Is it possible to centrally store and manage (backup/archive) certificates that are issued from a third party certification authority using Windows utilities? AD is Windows2008R2.
I also understand that we can use the Certificates MMC snap-in to manage certificates, but I would be greatful if someone clarified where certificates and keys are located.
Finally as we plan to use a PKI infrastructure with Exchange Server 2010 for mail encyption/signing, I would like some information on how this can be implemented using user certificates issued by a third party CA.
Thank you in advance.
- Changed Type K_evin ZhuMicrosoft Contingent Staff, Moderator Tuesday, November 27, 2012 3:29 AM
Thursday, November 22, 2012 10:00 AM
Users and computers certificates and related keys are primarily stored locally in each user profile and in each machine store. Private keys can be backed up to a CA at the time of request but not after that!
You can configure AD to roam user certificates and keys regardless who issued the certificate. This will give you a good recovery method if the local profile is corrupted or a certificate is deleted locally bu the user. Read more on Credentials Roaming: http://technet.microsoft.com/en-us/library/cc773373(v=ws.10).aspx
Regarding mail encryption/signing, you need:
- A certificate that supports S/MIME capabilities and includes your user's email address
- The third party CA must be trusted by all clients
- The user certificate needs to be published to user's AD object to be available for other users through the global address list in AD
- Marked As Answer by K_evin ZhuMicrosoft Contingent Staff, Moderator Tuesday, November 27, 2012 3:29 AM
- Unmarked As Answer by nikolas85 Friday, November 30, 2012 9:39 AM
- Marked As Answer by nikolas85 Friday, November 30, 2012 9:40 AM
- Unmarked As Answer by nikolas85 Friday, November 30, 2012 9:51 AM
- Marked As Answer by nikolas85 Friday, November 30, 2012 9:57 AM
Friday, November 30, 2012 9:57 AM
Thank you for your answer, it was really helpful! I am sorry for my late reply; I was busy with other tasks. Although I read various documents regarding Credential Roaming implementation and troubleshooting, I still don’t understand how I can manage the certificates replicated on the AD. With credential roaming if there has been a modification of the certificates in the local store or the user object in Active Directory, the changes are either downloaded to the store or uploaded to Active Directory, however I do not understand where certificates are stored on the AD. Is there an interface/snap-in being created after credential roaming has been implemented to manage all certificates? (I remind you that we do not have an enterprise CA issuing certificates but a third party certification authority)
I have another question regarding your answer. What do you mean by saying “The user certificate needs to be published to user's AD object to be available for other users through the global address list in AD”? How can I do that? How can I publish a user certificate to the user’s AD object and what is the global address list in AD?
Thank you in advance
Tuesday, December 04, 2012 10:23 AM
Credential Roaming is a synchronization method that uses properties on the users AD object to store information. To manage any certificates and keys you need to logon as that user on any domain member and all certificates and keys will be synchronized and available using the certificate management MMC sanp-in.
The Global Address List (GAL) also known as Microsoft Exchange Global Address Book is a directory service within the Microsoft Exchange email system. The GAL contains information for all email users, distribution groups, and Exchange resources. The GAL uses information form objecta in AD such as email addresses and users certificates. You can either use certmgr.msc MMC snap-in or outlook to publish a user certificate used for secure e-mail to GAL(AD).
Using the certificate MMC snap-in, look for the "Active Directory User Object" in the left navigation list!
- Marked As Answer by nikolas85 Monday, December 10, 2012 11:09 AM
Monday, December 10, 2012 11:09 AM
Thank you for your answer, it was helpful and clarified things. I may use the Credential Roaming feature, although I was looking for a service allowing for centralized management of domain certificates issued by a third party certification authority. If I get it right, credential roaming does replicate the certificates on the Active Directory user objects but in order to manage those certificates an administrator needs to connect to a domain member using the user's credentials; that would be difficult in a large organization and does not seem to enable a central point of management for all domain certificates.