S
Seekyouwillfind
Win2003 CA certificates with Outlook2003
I am going insane trying to figure out why I can't generate digital
certificates from our Certificate authority that our Outlook 2003 email
client can use for encrypting and signing email.
We had these clients using Verisign ID's Imported into Outlook from *.pfx
files PKCS #12 type. These worked great but they are a pain in the but to
manage and renew for 50 plus users.
Since we recently upgraded to Win2003 server I decide we would replace all
these with certificates we generate internally. Was suppose to be a simple
thing to do. 3 days later I'm about to commit suicide.
We Installed this CA as the Enterprise Root and implemented the web
enrollment. Everything looked like it went well per the doc's. However
when, as an end user, we get to cert web page it does not look like the
documention.
WE can submit a request for a certificate but in the docs we see the options
being:
Web Browser Certificate
Email Protection Certificate
But we don't get this. We just get User Certificate Option.
I thought this was because we didn't have all the templates loaded but there
is no template that provides these options.
Further research concludes that the user template creates a cert that is
appropriate for our needs, meaning it provides for Secure email and
signing, (which is all we really need)
The cert completes fine and when the user goes back to accept (using
internet explorer) the certificate is installed on the PC and can be seen in
IE, and at the XP Pro level using the Certificate MMC plugin. When we view
the cert everything looks right and the options for secure email, signing
and files encryption are there. However when we open Outlook and go into
security settings we can not get this certificate to be seen or loaded at
all.
We did have some difficulty with Verisign Certs with this as well BUT with
Verisign once the Cert was in EI and XP we were able to export this thing
to a *.PFX file and then use Outlooks Digital ID Import function to import
the ID into Outlook.
With Our Internal generated Certificates we can not do this. EI or the Cert
MMC plugin export wizard will not give us an option to export this cert in a
format that Outlook can see. PKCS #12 *.PFX is greyed out and we can not
pick.
We can export as a CER or P7B and that's it. Outlook will not read either.
We have tried generating user certificates from our CA in different ways but
nothing works. We have read tons of info from MS website on certificate
Authority, most of it is very complicated and not applicable. We are just
trying to do this one simple thing.
That is we want to create our own internal certificates that our Outlook
2003\Exchange2003SP1 users can use to sign email and to encrypt email
between each other. I have no idea how this has gotten so complicated and
why ONLY IE is seeing the certificate.
One big point of confusion is why XP, EI, and active directory can all see
the persons internal certificate but Outlook can not???
Any thoughts? Any way to simplify this??
I am going insane trying to figure out why I can't generate digital
certificates from our Certificate authority that our Outlook 2003 email
client can use for encrypting and signing email.
We had these clients using Verisign ID's Imported into Outlook from *.pfx
files PKCS #12 type. These worked great but they are a pain in the but to
manage and renew for 50 plus users.
Since we recently upgraded to Win2003 server I decide we would replace all
these with certificates we generate internally. Was suppose to be a simple
thing to do. 3 days later I'm about to commit suicide.
We Installed this CA as the Enterprise Root and implemented the web
enrollment. Everything looked like it went well per the doc's. However
when, as an end user, we get to cert web page it does not look like the
documention.
WE can submit a request for a certificate but in the docs we see the options
being:
Web Browser Certificate
Email Protection Certificate
But we don't get this. We just get User Certificate Option.
I thought this was because we didn't have all the templates loaded but there
is no template that provides these options.
Further research concludes that the user template creates a cert that is
appropriate for our needs, meaning it provides for Secure email and
signing, (which is all we really need)
The cert completes fine and when the user goes back to accept (using
internet explorer) the certificate is installed on the PC and can be seen in
IE, and at the XP Pro level using the Certificate MMC plugin. When we view
the cert everything looks right and the options for secure email, signing
and files encryption are there. However when we open Outlook and go into
security settings we can not get this certificate to be seen or loaded at
all.
We did have some difficulty with Verisign Certs with this as well BUT with
Verisign once the Cert was in EI and XP we were able to export this thing
to a *.PFX file and then use Outlooks Digital ID Import function to import
the ID into Outlook.
With Our Internal generated Certificates we can not do this. EI or the Cert
MMC plugin export wizard will not give us an option to export this cert in a
format that Outlook can see. PKCS #12 *.PFX is greyed out and we can not
pick.
We can export as a CER or P7B and that's it. Outlook will not read either.
We have tried generating user certificates from our CA in different ways but
nothing works. We have read tons of info from MS website on certificate
Authority, most of it is very complicated and not applicable. We are just
trying to do this one simple thing.
That is we want to create our own internal certificates that our Outlook
2003\Exchange2003SP1 users can use to sign email and to encrypt email
between each other. I have no idea how this has gotten so complicated and
why ONLY IE is seeing the certificate.
One big point of confusion is why XP, EI, and active directory can all see
the persons internal certificate but Outlook can not???
Any thoughts? Any way to simplify this??