Configuring Security

Advanced Security Featuring Key Management Service

Microsoft Exchange Advanced Security in Microsoft Exchange 2000 Server creates and manages the public key infrastructure (PKI) for Exchange in your organization. This Exchange PKI enables message content security in the form of data encryption and digital signatures. It also sets up a centralized management of keys and certificates within your administrative groups for all enrolled users.

In System Manager, there are two components within the Advanced Security object: Encryption Configuration and Key Manager. Together, they provide secure messaging through cryptographic key pairs. Key pairs consist of a public key and a private key. Advanced Security is a dual key pair system, so users are provided with separate key pairs for encryption and digital signatures.

Encryption Configuration specifies the encryption algorithm used by your PKI, as well as the secure message format used by your organization. This is also where you can select a Key Management server for administrative groups.

Use Key Manager to access the Exchange Key Management Service (KMS) and manage your Key Management servers. For each public key there is a corresponding private key, available only to the enrolled user. Each private encryption key is securely archived on a Key Management server.

Note  Before you can install KMS on an Exchange 2000 server, you must install Windows 2000 Server Certificate Services. Certificate Services allows your Exchange organization to act as its own certification authority (CA). Certificates issued by Certificate Services bind an Exchange Advanced Security user to his or her public key. For complete information on Certificate Services, see the Windows 2000 documentation.

If an enrolled user loses their private key, such as through a hard drive failure, or by forgetting the password, administrators can use KMS to recover the key. Due to increased integration with Windows 2000 Active Directory, KMS offers more organizational flexibility than previous versions of Exchange, as well as new administrative features, like bulk enrollment and the ability to export and import users from other Key Management servers.

Note   To enroll in KMS, users' computers must use Microsoft Outlook. Outlook 98 or later versions support Secure/Multipurpose Internet Mail Extensions (S/MIME), but compatibility with the Exchange 4.0/5.0 security message format is also available. For information specific to Outlook security, see the Microsoft Outlook documentation.

Answers to Frequently Asked Questions

How many Key Management servers can I have in my Exchange organization?

A Key Management server is an Exchange 2000 server on which KMS has been installed. You can have one Key Management server per administrative group. 

Does a client need to enroll in Exchange Advanced Security to send secure messages with S/MIME?

No. Clients running Outlook 98 or later support S/MIME. Through certificates issued by a third-party certification authority, Outlook clients can use S/MIME to send secure messages across the Internet, even if Advanced Security has not been implemented in the organization, or if a client is not enrolled in Advanced Security. For more information on configuring client security, see the Outlook documentation. 

Can dual-key users of Advanced Security communicate with non-dual-key security systems?

Yes. Exchange Advanced Security provides users with two key pairs, one for digital signatures and one for message encryption. Many non-KMS clients using S/MIME through a third-party CA use a single key pair for both functions. While Outlook 98 and Outlook 2000 support interoperability between KMS and non-KMS users, older e-mail clients may have difficulty with KMS's dual-key S/MIME messages. Consult your e-mail client's documentation if you are unsure about support for dual-key messaging.

Can Exchange Advanced Security use third-party certification authorities?

KMS must use Windows 2000 Certificate Services as its CA. However, if your organization uses a third-party CA, Certificate Services can act as a subordinate to that CA. Your internally generated certificates will be trusted outside of your organization.  More....
Note: For a listing of third-party CAs, in Internet Explorer, on the Tools menu, click Internet Options. Click the Content tab, click Certificates, and then click the Trusted Root Certification Authorities tab. For more information, see the Internet Explorer documentation.

How do I trust certificates from other companies?

In certain situations, such as a partnership between two companies, it is possible to have some or all of your Advanced Security users automatically trust another organization's certificates. This is known as cross-certifying. Add the partner organization's root certificate to your domain controller, and the certificate will be published to your internal Certificate Trust Lists (CTL).  More....

What kind of certificates does Exchange Advanced Security use?

Windows 2000 Certificate Services, the certification authority for KMS, issues only X.509 version 3 (X.509v3) certificates. However, for compatibility with older Exchange systems, KMS will continue to issue X.509 version 1 (X.509v1) certificates and act as the certification authority for those older clients. More...

What happens when KMS needs a certificate from a Certificate Services server that is busy?

In Exchange 2000, if one Certificate Services server is busy, KMS can request and receive a certificate from any other enterprise Certificate Services server in the organization. Also, KMS can enroll users through any enterprise Certificate Services server. Note that if all Certificate Services servers in your organization are busy, requests are queued for up to 24 hours. After that time, the request will have to be reissued. Also, the necessary certificate templates must be installed on the enterprise Certificate Services server.