Re: Win2003 CA certificates with Outlook2003
From: Anand Abhyankar [MS] (ananda_at_online.microsoft.com)
Date: 10/12/04
- Next message: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Previous message: Jerry Bryant [MSFT]: "Microsoft Security Bulletins for October 12, 2004"
- In reply to: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Next in thread: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Reply: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Oct 2004 11:29:38 -0700
1. The possible reason that you are not able to export the pfx (p#12) is
becasue the private key is NOT marked exportable.
2. Since you can see the certificate in MMC, can you double click on the
certificate, go to Details tab and tell me the details of the 'Certificate
Template Information' field (i need the template name) and the Enhanced Key
Usage that is listed?
3. On the General tab, under the validity period do you see a message 'You
have a private key that corresponds to this certificate'?
-- Thanks, Anand Abhyankar [MS] ---- This posting is provided "AS IS" with no warranties, and confers no rights. "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message news:enu5IPIsEHA.376@TK2MSFTNGP14.phx.gbl... > You mentioned: When you go to Tools->Options->Security don't click > Import/Export. >> Instead just configure Outlook to use a certificate by clicking 'Settings > > > > This is what we did but nothing shows up in there at all. We go into > security settings, shows us the default security name of the profile that > belongs to the OLD Verisign certificate. SO on that same tab we go to > Certificates and algorithms and pick CHOOSE for either the signing or > encryption certificate. In there ONLY our Verisign Certificate shows up. > There is nothing we can do to get Outlook to see the cert generated from > our > CA server and accepted on this PC. However if we go into internet > Explorers > certificate page BOTH show up. If we go into XP's certificate section > using > the MMC Certificate snap in In the personal Certs section we see BOTH > certificates. GO back into Outlook we ONLY see ONE. Doesn't matter how > many > reboots we do we can not see it. > > > > Further more when we got the verisign Cert we were able to go into > Internet > explorer and EXPORT that out as a *pfx file that could easily be imported > into Outlook (lets say the same users laptop) so it was portable. With > the > cert from our CA, even though we stated let the keys be exportable, we can > not get this cert exported to file that Outlook can read at all. Outlook > will not read the generated *.cer file. We just don't understand why the > option to export to a #12 type PKCS file is grayed out. Actually we > don't > understand what is wrong at all. This should work! > > > "Anand Abhyankar [MS]" <ananda@online.microsoft.com> wrote in message > news:eKVhB3HsEHA.2776@TK2MSFTNGP14.phx.gbl... >> To troubleshoot Web Enrollment check: >> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx >> >> Once you have enrolled for a certificate you don't have to import it to >> Outlook. When you go to Tools->Options->Security don't click > Import/Export. >> Instead just configure Outlook to use a certificate by clicking > 'Settings'. >> >> BTW, if you are using all XP clients then you can use a feature called >> auto-enrollment instead of usign the web page based certificate > enrollment. >> > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx >> >> -- >> Thanks, >> Anand Abhyankar [MS] >> >> ---- >> This posting is provided "AS IS" with no warranties, and confers no > rights. >> >> >> "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message >> news:O6YEJdFsEHA.2764@TK2MSFTNGP11.phx.gbl... >> > Win2003 CA certificates with Outlook2003 >> > >> > >> > >> > I am going insane trying to figure out why I can't generate digital >> > certificates from our Certificate authority that our Outlook 2003 >> > email >> > client can use for encrypting and signing email. >> > >> > >> > >> > We had these clients using Verisign ID's Imported into Outlook from >> > *.pfx >> > files PKCS #12 type. These worked great but they are a pain in the but > to >> > manage and renew for 50 plus users. >> > >> > >> > >> > Since we recently upgraded to Win2003 server I decide we would replace >> > all >> > these with certificates we generate internally. Was suppose to be a > simple >> > thing to do. 3 days later I'm about to commit suicide. >> > >> > >> > >> > We Installed this CA as the Enterprise Root and implemented the web >> > enrollment. Everything looked like it went well per the doc's. However >> > when, as an end use, we get to cert web page it does not look like the >> > documention. >> > >> > >> > >> > WE can submit a request for a certificate but in the docs we see the >> > options >> > being: >> > >> > >> > >> > Web Browser Certificate >> > >> > Email Protection Certificate >> > >> > >> > >> > >> > >> > But we don't get this. We just get User Certificate Option. >> > >> > >> > >> > I thought this was because we didn't have all the templates loaded but >> > there >> > is no template that provides these options. >> > >> > >> > >> > Further research concludes that the user template creates a cert that > is >> > appropriate for our needs, meaning it provides for Secure email and >> > signing, (which is all we really need) >> > >> > >> > >> > The cert completes fine and when the user goes back to accept (using >> > internet explorer) the certificate is installed on the PC and can be > seen >> > in >> > IE, and at the XP Pro level using the Certificate MMC plugin. When we >> > view >> > the cert everything looks right and the options for secure email, > signing >> > and files encryption are there. However when we open Outlook and go >> > into >> > security settings we can not get this certificate to be seen or loaded > at >> > all. >> > >> > >> > >> > We did have some difficulty with Verisign Certs with this as well BUT > with >> > Verisign once the Cert was in EI and XP we were able to export this > thing >> > to a *.PFX file and then use Outlooks Digital ID Import function to > import >> > the ID into Outlook. >> > >> > >> > >> > With Our Internal generated Certificates we can not do this. EI or the >> > Cert >> > MMC plugin export wizard will not give us an option to export this cert > in >> > a >> > format that Outlook can see. PKCS #12 *.PFX is greyed out and we can > not >> > pick. >> > >> > We can export as a CER or P7B and that's it. Outlook will not read > either. >> > >> > >> > >> > We have tried generating user certificates form our CA in different >> > ways >> > but >> > nothing works. We have read tons of info from MS website on >> > certificate >> > Authority, most of it is very complicated and not applicable. We are > just >> > trying to do this one simple thing. >> > >> > >> > >> > That is we want to create our own internal certificates that our >> > Outlook >> > 2003\Exchange2003SP1 users can use to sign email and to encrypt email >> > between each other. I have no idea how this has gotten so complicated > and >> > why ONLY IE is seeing the certificate. >> > >> > >> > >> > One big point of confusion is why XP, EI, and active directory can all > see >> > the persons internal certificate but Outlook can not??? >> > >> > >> > >> > Any thoughts? Any way to simplify this?? >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> >> > >
- Next message: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Previous message: Jerry Bryant [MSFT]: "Microsoft Security Bulletins for October 12, 2004"
- In reply to: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Next in thread: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Reply: Seekyouwillfind: "Re: Win2003 CA certificates with Outlook2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
