none
.LOCAL domain + Internal PKI. Need external encrypted email. Help me visualize what I need to make this work. RRS feed

  • Question

  • Dear security experts,

    We have a .local AD infrastructure and internal PKI.  (offline Root and online Issuing)  We also have an Exchange 2013 server and a wildcard SSL cert for our .com.  We need to do some public key exchanging with the outside world, to a specific client for encrypted emails and digital signing.

    I need to come up with a solution where all of our users can not only encrypt and digitally sign emails internally, but I am hoping you can help me understand what I need to order from a cert.  vendor so that we can exchange public certs.  with the client in question, possibly even leveraging our internal PKI system.  Does the .local domain impede our goal?  Or does that just get added as a Subject Alternative Name to our .com/wildcard SSL cert? 

    Confused but optimistic about your advice.

    Thanks a million!

    Monday, June 19, 2017 1:07 PM

All replies

  • I can start to stab!

    .local won't resolve outside - so what is the name of your .com that you have a wildcard for?

    Seems you'd want to have a registered .com name to use for your Exchange server's FQDN so that the outside world can find you in the first place.

    EKU for the certificate should be Server Authentication. Check your wildcard cert for that if you end up using it. I expect you read the pros and cons of using wildcard certs when you ordered yours.

    Build your Exchange Server in a new <name>.com domain and probably add a netted IP to your external DNS server that routes back to your Exchange server. That's one way - but it, of course, depends on what you're doing and what you're calling what.

    -bill

    Monday, June 19, 2017 8:40 PM
  • The short answer is no, having .local infrastructure shouldn't matter. When you issue a secure email certificate you will include the email address in the subject name, which it will pull from AD (that Exchange populated) when using an Internal CA, or will be part of the request if using an external CA.

    Whilst an internal CA will work perfectly fine for internal/internal messages, you will have issues when you communicate with external parties. This will be due to external parties not trusting your CA. You will either need to get them to install the root of your CA (which is not likely) or use a trusted third party CA (e.g. Entrust, Symantec, etc.).

    A bit more info on the internal CA route : S/MIME Configuration (https://msdn.microsoft.com/en-us/library/dn643699.aspx)



    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Tuesday, June 20, 2017 7:27 AM
  • I think I'm beginning to understand, so thank you for your replies Bill and George!  We use DigiCert and have a wildcard for our .com, and it's installed on our Exchange server and used on our public facing sites already. 

    Should I just "renew" or make a request for a new .com wildcard cert.  but add our Root CA's .local name in there as a Subject Alternate Name? 

    Tuesday, June 20, 2017 2:08 PM
  • You won't be able to request a .local as a SAN through DigiCert (or any other external CA for that matter - see here: https://www.digicert.com/internal-names.htm)

    I think there's some confusion, however.

    If we are talking about digital signing/encryption of email (using S/MIME) 

    These options:

    Then this is achieved using a secure email certificate, which is assigned to each individual user. Or are you talking about TLS (server to server encryption- transparent to the user)?

    If it's the option that enables you to Sign/Encrypt as above, you need to look at S/MIME certificates and you don't need to put your .local domain into them, they just need to match the email address.

    See here: https://www.digicert.com/client-certificates/


    If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"

    Georg Thomas | CISSP, CISM, CEH, GIAC, MCSE (Security), MVP Twitter @georgathomas This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, June 21, 2017 12:36 AM
  • Hi,

    I am checking to see if the problem has been resolved. If there's anything you'd like to know, please feel free to ask.


    Best Regards
    Cartman
    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, July 4, 2017 9:09 AM
    Moderator