none
Creating validated certificate for smime in local ca

    Question

  • Hi all,

    I have deployed enterprise ca server on server 2012 r2 and I created certificate template for secure mail and published to domain.Client could access smime certificate and set their outlook clients themself.They can send email with the digital certificate that published local certificate and certificate looks validated in our domain.But local certificate looks not validated on outside domains(etc Hotmail,gmail) when client send mail with local certificate.İt is a normal behavior.Because this certificate not validated on public ca pki.I want to make validated secure mail certificate via our local certificate authority.There are houndred of users in the domain and we need to buy a lot of secure mail certificate for each user and this will be very difficult period.Can I build validated pki in my domain ? or can i set another root authority(digicert,verisign) for creating secure mail template ?

    Thanks in advance


    • Edited by CAN BOLAT Saturday, November 12, 2016 9:36 PM ca
    Saturday, November 12, 2016 9:35 PM

All replies

  • Hi,

    Do you install this S/MIME certificate in trusted root CA?
    If so, domain-joined client will get this certificate from CA, then Outlook client can get a digital ID and encryption message.
    If not, we need download this certificate, copy and install it in client.

    Meanwhile, if this certificate is issued by internal CA, you need download, copy and install it in external client. Here's a link about different type of certificate:
    https://technet.microsoft.com/en-us/library/dd351044(v=exchg.160).aspx

    Reference link about S/MIME:
    S/MIME for message signing and encryption
    Set up virtual certificate collection to validate S/MIME

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 16, 2016 5:57 PM
    Moderator
  • Hi Allen,Thank you for reply.Clients who are member of domain domain dont need to install or validate digital certificate created in the domain.But users who arent member of domain need to install digital certificate into their trusted root ca manuelly.Can I use third party root and create intermediate certificate template together ?

    Friday, November 18, 2016 9:46 PM
  • Hi,

    Sorry for delay.

    Correctly, we need manually install certificate if it issued by a internal CA for external client or no domain joined client.

    What's the meaning of "third party root and create intermediate certificate template together"? Please post more details for further assistance.

    Best Regards,

    Allen Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 25, 2016 2:39 AM
    Moderator
  • Hi Allen, thank you for your comment,

    for example ;

    I have users of hundreds in organization and i want to use digital signature for each user of mail. İf i dont use local ca for smime i will buy public digital signature certificate for each user  to smime, it means i have to buy 300 digicert certificate which validated by public ca(like a comodo) if i use public a for smime, when i send to mail to user(it is not in my organization, like Hotmail,gmail or different domain) recipient wont get certificate error in its Outlook client,because smime is validated by public ca) all root certificates have been added in Windows root ca (default ) .  But if i send mail to user with my local ca , recipient will get certificate error (it will say this certificate is not validated, you have to install this certificate your computer etc..)  how can i sign these certificates via local ca as a public ? thanks in advance

    Wednesday, February 1, 2017 1:48 PM