none
Domain and Exchange migration. How to deal with S/MIME certificates

    Question

  • Hi, We are migrating some users from one forest/Exchange org to another. In the old forest they use S/MIME digital IDs (issued by an internal Enterprise root CA)  for signing and encrypting email. In the new forest they will not need to sign and encrypt any new emails but they will need to be able to read encrypted emails migrated over from the old infrastructure.

    I have played around with exporting a recipient's S/MIME certificate (inlcuding private key) from the certificate store of their old PC into the certificate store of their new PC and they are able to read migrated encrypted emails fine.

    However, presumably when the certificate reaches its expiry date it will not be able to renew because the old CA will be unreachable. Will this cause the encrypted mail to be unreadable or will the recipient just get a warning message ?

    We do already have an existing Enterprise root CA in the target forest so I wonder is there a way to export/import the relevant S/MIME digital IDs over to that somehow ?

    Thanks for any help on this...

    Edit: I just set the clock forward, on the test user's PC, past the cert expiry date and am still able to read the encrypted emails (since the expired cert is still in the cert store of the PC). So I think this is a workable solution. ( I suppose if we did ever need S/MIME encryption on new emails, post-migration, then we just get users to enroll a new cert off the new CA...)



    • Edited by Ansev Monday, January 11, 2016 4:33 PM more info
    Monday, January 11, 2016 3:20 PM

Answers

  • I believe that if the certificate root is still trusted by the client machines and they still have the client certificates, then everything should continue to work as before.  However, one problem you may run into is that the CRL will no longer be available so you might have to publish it to the same location.

    You might want to ask about this in a Certificate Services forum because it's really that kind of question.  Exchange doesn't really get involved in this kind of encryption and decryption; it's handled on the client.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by Allen_WangJFModerator Tuesday, January 12, 2016 5:58 AM
    • Marked as answer by Ansev Thursday, January 14, 2016 2:36 PM
    Monday, January 11, 2016 8:20 PM
    Moderator

All replies

  • I believe that if the certificate root is still trusted by the client machines and they still have the client certificates, then everything should continue to work as before.  However, one problem you may run into is that the CRL will no longer be available so you might have to publish it to the same location.

    You might want to ask about this in a Certificate Services forum because it's really that kind of question.  Exchange doesn't really get involved in this kind of encryption and decryption; it's handled on the client.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    • Proposed as answer by Allen_WangJFModerator Tuesday, January 12, 2016 5:58 AM
    • Marked as answer by Ansev Thursday, January 14, 2016 2:36 PM
    Monday, January 11, 2016 8:20 PM
    Moderator
  • Thanks Ed!
    Thursday, January 14, 2016 2:36 PM
  • You're welcome.  Happy to have helped.

    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Celebrating 20 years of providing Exchange peer support!

    Thursday, January 14, 2016 5:14 PM
    Moderator