Re: Win2003 CA certificates with Outlook2003
From: Seekyouwillfind (seekyouwillfind_at_news.postalias)
Date: 10/12/04
- Next message: Mark Gamache: "Re: Auto Delete from AD"
- Previous message: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- In reply to: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Next in thread: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Reply: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Oct 2004 15:18:05 -0400
Thanks for your quick write back
Here are your answers
1. Yes we agree with you on this point, that's probably the root of it, but
waht we don't understand is Why. Trust me we are EXPLICITLEY checking the
Allow private keys to be exported box during the submition phase but it's
becoming clear that the CA server isn't doing this. But why?
2. Template field is USER. Which is the only option it will give an enduser
from the WEb logon. But looking at the documentation USer template should
work fine. It supports the 3 things, two of which is all we want.
As to Enhanced Key Usage that is listed?
Encrypting File System (1.3.6.1.4.1.311.10.3.4)
Secure Email (1.3.6.1.5.5.7.3.4)
Client Authentication (1.3.6.1.5.5.7.3.2)
3. On the general tab under the validity period we do NOT see the message
you speak of at all.
Not sure if the root of the problem is that we have the CA and a windows
2003 Standard Domain Controller. Much of the documentation talks about the
features this has on the enterprise and data center editions. What I would
like to do on the CA Server is use the template editor and copy the user
template and make some property changes to it to ensure the options we want
are enabled. But not sure this can be done on a standard server and even
if I did edit it, I really don't know how to change the Web enrollment
website to give that as an option anyway.
Also to answer something you asked earlier, the auto enrollment looks
interesting but unfortunately our 50 users are split down the middle 25 on
XP 18 on win 2000 and even 7 users still on Win98SE (UGH) SO I'm still
4-6months away from being pure XP Pro shop.
"Anand Abhyankar [MS]" <ananda@online.microsoft.com> wrote in message
news:%23itjvlIsEHA.3728@TK2MSFTNGP09.phx.gbl...
> 1. The possible reason that you are not able to export the pfx (p#12) is
> becasue the private key is NOT marked exportable.
>
> 2. Since you can see the certificate in MMC, can you double click on the
> certificate, go to Details tab and tell me the details of the 'Certificate
> Template Information' field (i need the template name) and the Enhanced
Key
> Usage that is listed?
>
> 3. On the General tab, under the validity period do you see a message 'You
> have a private key that corresponds to this certificate'?
>
> --
> Thanks,
> Anand Abhyankar [MS]
>
> ----
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message
> news:enu5IPIsEHA.376@TK2MSFTNGP14.phx.gbl...
> > You mentioned: When you go to Tools->Options->Security don't click
> > Import/Export.
> >> Instead just configure Outlook to use a certificate by clicking
'Settings
> >
> >
> >
> > This is what we did but nothing shows up in there at all. We go into
> > security settings, shows us the default security name of the profile
that
> > belongs to the OLD Verisign certificate. SO on that same tab we go to
> > Certificates and algorithms and pick CHOOSE for either the signing or
> > encryption certificate. In there ONLY our Verisign Certificate shows up.
> > There is nothing we can do to get Outlook to see the cert generated from
> > our
> > CA server and accepted on this PC. However if we go into internet
> > Explorers
> > certificate page BOTH show up. If we go into XP's certificate section
> > using
> > the MMC Certificate snap in In the personal Certs section we see BOTH
> > certificates. GO back into Outlook we ONLY see ONE. Doesn't matter how
> > many
> > reboots we do we can not see it.
> >
> >
> >
> > Further more when we got the verisign Cert we were able to go into
> > Internet
> > explorer and EXPORT that out as a *pfx file that could easily be
imported
> > into Outlook (lets say the same users laptop) so it was portable. With
> > the
> > cert from our CA, even though we stated let the keys be exportable, we
can
> > not get this cert exported to file that Outlook can read at all.
Outlook
> > will not read the generated *.cer file. We just don't understand why
the
> > option to export to a #12 type PKCS file is grayed out. Actually we
> > don't
> > understand what is wrong at all. This should work!
> >
> >
> > "Anand Abhyankar [MS]" <ananda@online.microsoft.com> wrote in message
> > news:eKVhB3HsEHA.2776@TK2MSFTNGP14.phx.gbl...
> >> To troubleshoot Web Enrollment check:
> >>
> >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> >>
> >> Once you have enrolled for a certificate you don't have to import it to
> >> Outlook. When you go to Tools->Options->Security don't click
> > Import/Export.
> >> Instead just configure Outlook to use a certificate by clicking
> > 'Settings'.
> >>
> >> BTW, if you are using all XP clients then you can use a feature called
> >> auto-enrollment instead of usign the web page based certificate
> > enrollment.
> >>
> >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
> >>
> >> --
> >> Thanks,
> >> Anand Abhyankar [MS]
> >>
> >> ----
> >> This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >>
> >>
> >> "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message
> >> news:O6YEJdFsEHA.2764@TK2MSFTNGP11.phx.gbl...
> >> > Win2003 CA certificates with Outlook2003
> >> >
> >> >
> >> >
> >> > I am going insane trying to figure out why I can't generate digital
> >> > certificates from our Certificate authority that our Outlook 2003
> >> > email
> >> > client can use for encrypting and signing email.
> >> >
> >> >
> >> >
> >> > We had these clients using Verisign ID's Imported into Outlook from
> >> > *.pfx
> >> > files PKCS #12 type. These worked great but they are a pain in the
but
> > to
> >> > manage and renew for 50 plus users.
> >> >
> >> >
> >> >
> >> > Since we recently upgraded to Win2003 server I decide we would
replace
> >> > all
> >> > these with certificates we generate internally. Was suppose to be a
> > simple
> >> > thing to do. 3 days later I'm about to commit suicide.
> >> >
> >> >
> >> >
> >> > We Installed this CA as the Enterprise Root and implemented the web
> >> > enrollment. Everything looked like it went well per the doc's.
However
> >> > when, as an end use, we get to cert web page it does not look like
the
> >> > documention.
> >> >
> >> >
> >> >
> >> > WE can submit a request for a certificate but in the docs we see the
> >> > options
> >> > being:
> >> >
> >> >
> >> >
> >> > Web Browser Certificate
> >> >
> >> > Email Protection Certificate
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > But we don't get this. We just get User Certificate Option.
> >> >
> >> >
> >> >
> >> > I thought this was because we didn't have all the templates loaded
but
> >> > there
> >> > is no template that provides these options.
> >> >
> >> >
> >> >
> >> > Further research concludes that the user template creates a cert
that
> > is
> >> > appropriate for our needs, meaning it provides for Secure email and
> >> > signing, (which is all we really need)
> >> >
> >> >
> >> >
> >> > The cert completes fine and when the user goes back to accept (using
> >> > internet explorer) the certificate is installed on the PC and can be
> > seen
> >> > in
> >> > IE, and at the XP Pro level using the Certificate MMC plugin. When
we
> >> > view
> >> > the cert everything looks right and the options for secure email,
> > signing
> >> > and files encryption are there. However when we open Outlook and go
> >> > into
> >> > security settings we can not get this certificate to be seen or
loaded
> > at
> >> > all.
> >> >
> >> >
> >> >
> >> > We did have some difficulty with Verisign Certs with this as well BUT
> > with
> >> > Verisign once the Cert was in EI and XP we were able to export this
> > thing
> >> > to a *.PFX file and then use Outlooks Digital ID Import function to
> > import
> >> > the ID into Outlook.
> >> >
> >> >
> >> >
> >> > With Our Internal generated Certificates we can not do this. EI or
the
> >> > Cert
> >> > MMC plugin export wizard will not give us an option to export this
cert
> > in
> >> > a
> >> > format that Outlook can see. PKCS #12 *.PFX is greyed out and we can
> > not
> >> > pick.
> >> >
> >> > We can export as a CER or P7B and that's it. Outlook will not read
> > either.
> >> >
> >> >
> >> >
> >> > We have tried generating user certificates form our CA in different
> >> > ways
> >> > but
> >> > nothing works. We have read tons of info from MS website on
> >> > certificate
> >> > Authority, most of it is very complicated and not applicable. We are
> > just
> >> > trying to do this one simple thing.
> >> >
> >> >
> >> >
> >> > That is we want to create our own internal certificates that our
> >> > Outlook
> >> > 2003\Exchange2003SP1 users can use to sign email and to encrypt
email
> >> > between each other. I have no idea how this has gotten so
complicated
> > and
> >> > why ONLY IE is seeing the certificate.
> >> >
> >> >
> >> >
> >> > One big point of confusion is why XP, EI, and active directory can
all
> > see
> >> > the persons internal certificate but Outlook can not???
> >> >
> >> >
> >> >
> >> > Any thoughts? Any way to simplify this??
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Mark Gamache: "Re: Auto Delete from AD"
- Previous message: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- In reply to: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Next in thread: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Reply: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
