Configuring Security

Key Pairs

KMS uses the certificates issued by Certificate Services to create key pairs. A user's key pair consists of a public key, stored in Active Directory and available to anyone, and a private key, kept on the client computer in a secure location. Private keys are available only to the user. The keys are bound to the user by the certificate that the keys were created from.

Every Advanced Security user has at least two key pairs. During enrollment, the Key Management Server generates a key pair for message encryption, while Microsoft Outlook generates a key pair for digital signatures. A copy of every user's private key is securely stored in an encrypted database on the user's Key Management server.

Note   If you choose to have KMS issue X.509v1 certificates to older clients in your organization, your users will have an extra signature key pair. One key pair will be used to digitally sign messages with version 3 certificates, the other key pair will be used with version 1 certificates.


In public key encryption, the sender retrieves the recipient's public key from Active Directory and uses it to encrypt a message. Only the recipient's corresponding private key can decrypt it. This ensures that no other users can read the contents.

Digital Signatures

To digitally sign a message, the sender must use his or her private key. Recipients use the sender's public key to verify the source of the message because only the correct public key will work with the private signing key. This enables recipients to be sure of the identity of the sender.

Because a digital signature contains information based on the contents of the message, verification of the signature also means the integrity of the data is intact. A digitally signed message cannot be tampered with while in transit without being detected.

Digital signatures are also binding for those who sign messages with them. When a user includes a digital signature to make a commitment, they cannot back out of that commitment later by claiming they were impersonated. This is known as non-repudiation. For more information, see Dual Key Pair Systems.

Related Topics

Dual Key Pair Systems