In Exchange 2000, Windows 2000 maintains the certificate trust lists (CTLs) for your
organization, a task previously performed by KMS. A primary
advantage is that you can add the root certificates of outside
parties, such as a company you are partnered with, to your internal
CTL. Some or all of your users automatically trust the external
certificate, which is an arrangement known as
cross-certification.
Install the external organization's root certificate on your
domain controller, and that domain
controller's Group Policy
object (GPO) will publish the certificate to the
domain's CTL within eight hours. If you reboot your computers, the
information will be replicated sooner. For organizations with
sub-domains, you can publish the external certificate to the CTL of
the root domain to have it trusted in your entire organization.
Otherwise, you can publish it to only one sub-domain, and only a
portion of your users will trust it.
Note Pre-Windows 2000 clients
do not read CTLs published by Windows 2000 GPOs. For these clients,
KMS will automatically publish the CTLs so that Outlook can consult
the CTLs when needed.
To publish an external certificate to a domain controller's
Group Policy object:
Obtain the external certificate and have it ready on a floppy
disk, or save it to a predetermined location.
Start Microsoft Management Console (MMC) on the
domain controller. This should be the domain controller for the
domain and any sub-domains that you want the external certificate
to be trusted in. On the Start menu, click Run, type
MMC, and then click OK.
On the Console menu, click Add/Remove
Snap-in.
In Add/Remove Snap-in, click Add.
In Add Standalone Snap-in, click Certificates,
and then click Add.
In Certificates snap-in, click Computer account,
and then click Finish.
In Select Computer, click Local computer if it is
not already selected, and then click Finish.
Close Add Standalone Snap-in, and in Add/Remove
Snap-in, click OK.
In the console window, double-click Certificates (Local
Computer), and then double-click Trusted Root Certification
Authorities.
Click Certificates to view all of your organization's
trusted root certificates. To add the external certificate for
cross-certification, right-click Certificates, point to
All Tasks, and then click Import.
In Certificate Import Wizard, on the File to Import
screen, type in the location of the external certificate, or click
Browse to navigate to it.
Note You can run this
procedure on a Key Management server instead of a domain
controller. Then only your Advanced Security users would trust the
certificate.