Exchange 2000 Server - Certificates

Configuring Security

Certificates

A certificate is an electronic credential that authenticates the identity of users and computers. Certificates safeguard your intranet against forgery or impersonation by an outside party. If someone in your organization connects to a Web site or a server in another company, and that server has a certificate signed by an authority you trust, you can be confident that the company the certificate identifies actually operates the server.

Certificates are issued by a CA. The CA for Exchange Advanced Security is Certificate Services. Certificate Services issues the certificates that provide two security functions:

They contain unique strings of numbers that make up the key pairs used for digital signatures and e-mail encryption.
They bind users to those unique strings, creating a public key that is kept in Active Directory as an attribute of the user object. Other certificate information is made into a corresponding private key, which is kept on the user's computer. Key Pairs describes how public and private keys work.

Note In Outlook, certificates are also known as digital IDs.

CRLs and CTLs

CAs revoke certificates when the private key associated with the certificate is compromised, or when the subject of the certificate leaves an organization. CAs maintain and publish a list of certificates that have been revoked, called the certification revocation list (CRL). CAs also maintain a certificate trust list (CTL), which administrators can consider reputable for designated purposes. For example, Certificate Services can publish a CTL of valid certificates for authenticating users, and another one for secure e-mail. For more information, see the Windows 2000 documentation on Certificate Services.

Compatibility with X.509v1 Certificates

Certificate Services issues industry-standard X.509v3 (version 3) certificates, which are recognized by Secure Multipurpose Internet Mail Extensions (S/MIME) clients for interoperability with the Internet. Information on these certificates includes a unique serial number, the distinguished name of the CA, and the name of the user or entity the certificate is bound to.

Users running Outlook 97 or older versions do not support S/MIME. Instead they use the proprietary Exchange 4.0/5.0 security message format, which uses X.509v1 (version 1) certificates. Because these clients cannot use the X.509v3 certificates issued by Certificate Services, KMS will continue to issue X.509v1 certificates to them. By default, only X.509v3 certificates will be issued to your Advanced Security users until you configure KMS to issue version 1 certificates.