Re: Win2003 CA certificates with Outlook2003
From: Seekyouwillfind (seekyouwillfind_at_news.postalias)
Date: 10/13/04
- Next message: Windows Server x64 Launch Team: "Free Training for 64-bit Windows Server - Register Now!"
- Previous message: Steven L Umbach: "Re: Builtin accounts not accessible"
- In reply to: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Next in thread: Shawn Corey [MSFT]: "Re: Win2003 CA certificates with Outlook2003"
- Reply: Shawn Corey [MSFT]: "Re: Win2003 CA certificates with Outlook2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 13 Oct 2004 16:18:50 -0400
Stupid question.... I submited the certificate request from the MMC plug in
as you suggested. That part went well. I went to the CA and Approved the
issuance. But when I go back to the client and into that Certificate MMC
plugin. I can't find any option to allow me to accept the certificate??? It
allows me to submit a request but no acceptance I can find. I've gone
through all the menus I can't find anything.
Either I'm blind or I'm over looking something but I would really like to
get this certificate installed so we can see if you are right about the
webpage enrolment being the problem or not.
What am I missing?
thanks for all your help so far
"Anand Abhyankar [MS]" <ananda@online.microsoft.com> wrote in message
news:OEIniHKsEHA.2208@TK2MSFTNGP14.phx.gbl...
> 1. My guess is that for some reason the association between the
certificate
> and the key container (which contains the corresponding private key) is
> missing. So although the key is exportable the export wizard thinks that
its
> simply not there. That is the same reason that Outlook is NOT allowing you
> to select that certificate.
>
> 2. Chances are something is not correct on the web pages.
> To confirm it perform the following steps on an XP client:
> Load the certmgr snapin in MMC.
> Right click on Personal node -> All Tasks -> Request New Certificate...
> What are all the templates that you see?
> Select 'User' template and complete the wizard
> If you get a certificate then check if you can use it in Outlook and if
you
> can see that private key related message under validity period.
>
> If the above works then something is wrong with the web pages. Use this to
> troubleshoot:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>
>
> 3. You cannot edit templates on Standard Edition. Check:
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> --
> Thanks,
> Anand Abhyankar [MS]
>
> ----
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message
> news:O0qf2AJsEHA.1388@TK2MSFTNGP09.phx.gbl...
> > Thanks for your quick write back
> >
> > Here are your answers
> >
> > 1. Yes we agree with you on this point, that's probably the root of it,
> > but
> > waht we don't understand is Why. Trust me we are EXPLICITLEY checking
the
> > Allow private keys to be exported box during the submition phase but
it's
> > becoming clear that the CA server isn't doing this. But why?
> >
> > 2. Template field is USER. Which is the only option it will give an
> > enduser
> > from the WEb logon. But looking at the documentation USer template
should
> > work fine. It supports the 3 things, two of which is all we want.
> > As to Enhanced Key Usage that is listed?
> > Encrypting File System (1.3.6.1.4.1.311.10.3.4)
> >
> > Secure Email (1.3.6.1.5.5.7.3.4)
> >
> > Client Authentication (1.3.6.1.5.5.7.3.2)
> >
> >
> > 3. On the general tab under the validity period we do NOT see the
> > message
> > you speak of at all.
> >
> > Not sure if the root of the problem is that we have the CA and a windows
> > 2003 Standard Domain Controller. Much of the documentation talks about
the
> > features this has on the enterprise and data center editions. What I
> > would
> > like to do on the CA Server is use the template editor and copy the user
> > template and make some property changes to it to ensure the options we
> > want
> > are enabled. But not sure this can be done on a standard server and
even
> > if I did edit it, I really don't know how to change the Web enrollment
> > website to give that as an option anyway.
> >
> > Also to answer something you asked earlier, the auto enrollment looks
> > interesting but unfortunately our 50 users are split down the middle 25
> > on
> > XP 18 on win 2000 and even 7 users still on Win98SE (UGH) SO I'm still
> > 4-6months away from being pure XP Pro shop.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > "Anand Abhyankar [MS]" <ananda@online.microsoft.com> wrote in message
> > news:%23itjvlIsEHA.3728@TK2MSFTNGP09.phx.gbl...
> >> 1. The possible reason that you are not able to export the pfx (p#12)
is
> >> becasue the private key is NOT marked exportable.
> >>
> >> 2. Since you can see the certificate in MMC, can you double click on
the
> >> certificate, go to Details tab and tell me the details of the
> >> 'Certificate
> >> Template Information' field (i need the template name) and the Enhanced
> > Key
> >> Usage that is listed?
> >>
> >> 3. On the General tab, under the validity period do you see a message
> >> 'You
> >> have a private key that corresponds to this certificate'?
> >>
> >> --
> >> Thanks,
> >> Anand Abhyankar [MS]
> >>
> >> ----
> >> This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >>
> >>
> >> "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message
> >> news:enu5IPIsEHA.376@TK2MSFTNGP14.phx.gbl...
> >> > You mentioned: When you go to Tools->Options->Security don't click
> >> > Import/Export.
> >> >> Instead just configure Outlook to use a certificate by clicking
> > 'Settings
> >> >
> >> >
> >> >
> >> > This is what we did but nothing shows up in there at all. We go into
> >> > security settings, shows us the default security name of the profile
> > that
> >> > belongs to the OLD Verisign certificate. SO on that same tab we go to
> >> > Certificates and algorithms and pick CHOOSE for either the signing
or
> >> > encryption certificate. In there ONLY our Verisign Certificate shows
> >> > up.
> >> > There is nothing we can do to get Outlook to see the cert generated
> >> > from
> >> > our
> >> > CA server and accepted on this PC. However if we go into internet
> >> > Explorers
> >> > certificate page BOTH show up. If we go into XP's certificate section
> >> > using
> >> > the MMC Certificate snap in In the personal Certs section we see
BOTH
> >> > certificates. GO back into Outlook we ONLY see ONE. Doesn't matter
how
> >> > many
> >> > reboots we do we can not see it.
> >> >
> >> >
> >> >
> >> > Further more when we got the verisign Cert we were able to go into
> >> > Internet
> >> > explorer and EXPORT that out as a *pfx file that could easily be
> > imported
> >> > into Outlook (lets say the same users laptop) so it was portable.
> >> > With
> >> > the
> >> > cert from our CA, even though we stated let the keys be exportable,
we
> > can
> >> > not get this cert exported to file that Outlook can read at all.
> > Outlook
> >> > will not read the generated *.cer file. We just don't understand why
> > the
> >> > option to export to a #12 type PKCS file is grayed out. Actually we
> >> > don't
> >> > understand what is wrong at all. This should work!
> >> >
> >> >
> >> > "Anand Abhyankar [MS]" <ananda@online.microsoft.com> wrote in message
> >> > news:eKVhB3HsEHA.2776@TK2MSFTNGP14.phx.gbl...
> >> >> To troubleshoot Web Enrollment check:
> >> >>
> >> >
> >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
> >> >>
> >> >> Once you have enrolled for a certificate you don't have to import it
> >> >> to
> >> >> Outlook. When you go to Tools->Options->Security don't click
> >> > Import/Export.
> >> >> Instead just configure Outlook to use a certificate by clicking
> >> > 'Settings'.
> >> >>
> >> >> BTW, if you are using all XP clients then you can use a feature
called
> >> >> auto-enrollment instead of usign the web page based certificate
> >> > enrollment.
> >> >>
> >> >
> >
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/autoenro.mspx
> >> >>
> >> >> --
> >> >> Thanks,
> >> >> Anand Abhyankar [MS]
> >> >>
> >> >> ----
> >> >> This posting is provided "AS IS" with no warranties, and confers no
> >> > rights.
> >> >>
> >> >>
> >> >> "Seekyouwillfind" <seekyouwillfind@news.postalias> wrote in message
> >> >> news:O6YEJdFsEHA.2764@TK2MSFTNGP11.phx.gbl...
> >> >> > Win2003 CA certificates with Outlook2003
> >> >> >
> >> >> >
> >> >> >
> >> >> > I am going insane trying to figure out why I can't generate
digital
> >> >> > certificates from our Certificate authority that our Outlook 2003
> >> >> > email
> >> >> > client can use for encrypting and signing email.
> >> >> >
> >> >> >
> >> >> >
> >> >> > We had these clients using Verisign ID's Imported into Outlook
> >> >> > from
> >> >> > *.pfx
> >> >> > files PKCS #12 type. These worked great but they are a pain in
the
> > but
> >> > to
> >> >> > manage and renew for 50 plus users.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Since we recently upgraded to Win2003 server I decide we would
> > replace
> >> >> > all
> >> >> > these with certificates we generate internally. Was suppose to be
a
> >> > simple
> >> >> > thing to do. 3 days later I'm about to commit suicide.
> >> >> >
> >> >> >
> >> >> >
> >> >> > We Installed this CA as the Enterprise Root and implemented the
web
> >> >> > enrollment. Everything looked like it went well per the doc's.
> > However
> >> >> > when, as an end use, we get to cert web page it does not look like
> > the
> >> >> > documention.
> >> >> >
> >> >> >
> >> >> >
> >> >> > WE can submit a request for a certificate but in the docs we see
the
> >> >> > options
> >> >> > being:
> >> >> >
> >> >> >
> >> >> >
> >> >> > Web Browser Certificate
> >> >> >
> >> >> > Email Protection Certificate
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> > But we don't get this. We just get User Certificate Option.
> >> >> >
> >> >> >
> >> >> >
> >> >> > I thought this was because we didn't have all the templates loaded
> > but
> >> >> > there
> >> >> > is no template that provides these options.
> >> >> >
> >> >> >
> >> >> >
> >> >> > Further research concludes that the user template creates a cert
> > that
> >> > is
> >> >> > appropriate for our needs, meaning it provides for Secure email
and
> >> >> > signing, (which is all we really need)
> >> >> >
> >> >> >
> >> >> >
> >> >> > The cert completes fine and when the user goes back to accept
(using
> >> >> > internet explorer) the certificate is installed on the PC and can
be
> >> > seen
> >> >> > in
> >> >> > IE, and at the XP Pro level using the Certificate MMC plugin.
When
> > we
> >> >> > view
> >> >> > the cert everything looks right and the options for secure email,
> >> > signing
> >> >> > and files encryption are there. However when we open Outlook and
go
> >> >> > into
> >> >> > security settings we can not get this certificate to be seen or
> > loaded
> >> > at
> >> >> > all.
> >> >> >
> >> >> >
> >> >> >
> >> >> > We did have some difficulty with Verisign Certs with this as well
> >> >> > BUT
> >> > with
> >> >> > Verisign once the Cert was in EI and XP we were able to export
this
> >> > thing
> >> >> > to a *.PFX file and then use Outlooks Digital ID Import function
to
> >> > import
> >> >> > the ID into Outlook.
> >> >> >
> >> >> >
> >> >> >
> >> >> > With Our Internal generated Certificates we can not do this. EI or
> > the
> >> >> > Cert
> >> >> > MMC plugin export wizard will not give us an option to export this
> > cert
> >> > in
> >> >> > a
> >> >> > format that Outlook can see. PKCS #12 *.PFX is greyed out and we
> >> >> > can
> >> > not
> >> >> > pick.
> >> >> >
> >> >> > We can export as a CER or P7B and that's it. Outlook will not read
> >> > either.
> >> >> >
> >> >> >
> >> >> >
> >> >> > We have tried generating user certificates form our CA in
different
> >> >> > ways
> >> >> > but
> >> >> > nothing works. We have read tons of info from MS website on
> >> >> > certificate
> >> >> > Authority, most of it is very complicated and not applicable. We
are
> >> > just
> >> >> > trying to do this one simple thing.
> >> >> >
> >> >> >
> >> >> >
> >> >> > That is we want to create our own internal certificates that our
> >> >> > Outlook
> >> >> > 2003\Exchange2003SP1 users can use to sign email and to encrypt
> > email
> >> >> > between each other. I have no idea how this has gotten so
> > complicated
> >> > and
> >> >> > why ONLY IE is seeing the certificate.
> >> >> >
> >> >> >
> >> >> >
> >> >> > One big point of confusion is why XP, EI, and active directory can
> > all
> >> > see
> >> >> > the persons internal certificate but Outlook can not???
> >> >> >
> >> >> >
> >> >> >
> >> >> > Any thoughts? Any way to simplify this??
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
- Next message: Windows Server x64 Launch Team: "Free Training for 64-bit Windows Server - Register Now!"
- Previous message: Steven L Umbach: "Re: Builtin accounts not accessible"
- In reply to: Anand Abhyankar [MS]: "Re: Win2003 CA certificates with Outlook2003"
- Next in thread: Shawn Corey [MSFT]: "Re: Win2003 CA certificates with Outlook2003"
- Reply: Shawn Corey [MSFT]: "Re: Win2003 CA certificates with Outlook2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
