Setting up auto enrollment for email certificates using active directory
We must issue a Key Recovery Agent certificate for this user. To do this:
Issue a new template named Key Recovery Agent
Request this certificate for the user who becomes the Key Recovery Agent
Manually Issue the Key Recovery Agent Certificate at the CA
Figure 1 shows the issued Key Recovery Agent Certificate for the user Administrator.
Figure 1: Issued Key Recovery Agent certificate
Important:
The Windows 2003 CA will not automatically issue this certificate to the user who requests the Key Recovery Agent certificate. The CA Administrator must manually Issue the certificate in the Microsoft CA
Now it is time to enable the CA for Key Archiving. Start the Microsoft CA
Now you have to configure the following settings for this template: (I also checked do not automatically reenroll if a duplicate certificate exists, this will keep someone from logging on a different computer and receiving a new cert and getting their mail all messed up because they would have incompatible keys and their email would get encrypted with the wrong ones possibly.
Publishing all certificates in Active Directory is required, because the “Global Address List” of Exchange Server 2003 is based on AD. If you have configured this feature, all certificates are available in Active Directory.
In “Request Handling Properties” you have to choose signature and encryption and you should configure key archiving to provide key recovery. In addition to this, enrolling the certificate without requiring user input is the proposed solution.
To make sure that the old Exchange User template would never be used again you should configure it so that this new template supersedes the old one.
I created a group called email encryption that I then added members to provide them with certs.
Next you want to set up group policy to allow auto-enrollment
Configuring Certificate Services for Autoenrollment
Autoenrollment is a useful feature of certification services in Windows XP and Windows Server 2003, Standard Edition. Autoenrollment allows the administrator to configure subjects to automatically enroll for certificates, retrieve issued certificates, and renew expiring certificates without requiring subject interaction. The subject does not need to be aware of any certificate operations, unless you configure the certificate template to interact with the subject.
No comments:
Post a Comment