Configuring Security

Cross-Certify with Other Organizations

In Exchange 2000, Windows 2000 maintains the certificate trust lists (CTLs) for your organization, a task previously performed by KMS. A primary advantage is that you can add the root certificates of outside parties, such as a company you are partnered with, to your internal CTL. Some or all of your users automatically trust the external certificate, which is an arrangement known as cross-certification.

Install the external organization's root certificate on your domain controller, and that domain controller's Group Policy object (GPO) will publish the certificate to the domain's CTL within eight hours. If you reboot your computers, the information will be replicated sooner. For organizations with sub-domains, you can publish the external certificate to the CTL of the root domain to have it trusted in your entire organization. Otherwise, you can publish it to only one sub-domain, and only a portion of your users will trust it.

Note   Pre-Windows 2000 clients do not read CTLs published by Windows 2000 GPOs. For these clients, KMS will automatically publish the CTLs so that Outlook can consult the CTLs when needed.

To publish an external certificate to a domain controller's Group Policy object:

  1. Obtain the external certificate and have it ready on a floppy disk, or save it to a predetermined location.
  2. Start Microsoft Management Console (MMC) on the domain controller. This should be the domain controller for the domain and any sub-domains that you want the external certificate to be trusted in. On the Start menu, click Run, type MMC, and then click OK.
  3. On the Console menu, click Add/Remove Snap-in.
  4. In Add/Remove Snap-in, click Add.
  5. In Add Standalone Snap-in, click Certificates, and then click Add.
  6. In Certificates snap-in, click Computer account, and then click Finish.
  7. In Select Computer, click Local computer if it is not already selected, and then click Finish.
  8. Close Add Standalone Snap-in, and in Add/Remove Snap-in, click OK.
  9. In the console window, double-click Certificates (Local Computer), and then double-click Trusted Root Certification Authorities.
  10. Click Certificates to view all of your organization's trusted root certificates. To add the external certificate for cross-certification, right-click Certificates, point to All Tasks, and then click Import.
  11. In Certificate Import Wizard, on the File to Import screen, type in the location of the external certificate, or click Browse to navigate to it.

Note   You can run this procedure on a Key Management server instead of a domain controller. Then only your Advanced Security users would trust the certificate.

Related Topics