Support

Secure Email Certificate Support

How Users Manage Cryptographic Digital IDs in Outlook 2003

Microsoft® Office Outlook® 2003 provides ways for users to manage their digital IDs- the combination of a user's certificate and public and private encryption key set. Digital IDs help to keep users' e-mail messages secure by letting them exchange cryptographic messages. Managing digital IDs can include:

  • Making a digital ID available to others.
  • Exporting a digital ID to a file. This is useful when creating a backup or when migrating to a new computer.
  • Importing a digital ID from a file into Outlook. A digital ID file might be a user's backup copy or might contain a digital ID from another user.
  • Renewing a digital ID. This happens automatically when a digital ID is issued by a certificate authority (CA), unless the certificate has expired.
  • If you use more than one computer, you must copy your digital ID to each computer that you use for cryptographic messaging.

Providing your digital ID to other users

In order to exchange cryptographic e-mail messages with another user, you must have each other's public keys. You provide access to your public key through a certificate. There are several ways to provide your digital ID to others. For example, you can:

 

  • Digitally sign an e-mail message.
  • Use a directory service, such as the Microsoft Exchange Global Address Book.
  • Provide a certificate in a digitally signed e-mail message

  • To provide your public key to another user by using an e-mail message, compose an e-mail message and digitally sign it by using your certificate. When Outlook users receive the signed message, they can right-click on your name on the To line and then click Add to Contacts. The address information is saved in Contacts, and your certificate is saved in the registry.

 

--------------------------------------------------------------------------------
Note If you export a Contacts list, the corresponding certificates are not included. You must add the certificates from a received e-mail message on each computer that you use.
--------------------------------------------------------------------------------

Provide a certificate to a directory service

Another alternative might be for users to automatically retrieve your certificate from an LDAP directory (on a standard LDAP server) when they send an encrypted e-mail message. To gain access to a certificate this way, users must be enrolled in S/MIME security with digital IDs for their e-mail accounts. Or users can obtain certificates from the Global Address Book. To do this, users must be enrolled in Microsoft Exchange Server Advanced Security.
Digital IDs can be stored in three locations:

  • The Microsoft Exchange Global Address Book.
  • A Lightweight Directory Access Protocol (LDAP) directory service.
  • A Microsoft Windows® file.

Microsoft Exchange Global Address Book

Users who enroll in Exchange Advanced Security have their certificates stored in their organization's Global Address Book. Alternatively, users can open the Global Address Book by using their LDAP provider.  Only certificates generated by Microsoft Exchange Server Advanced Security or by Microsoft Exchange Key Management Server are automatically published in the Global Address Book. However, externally generated certificates such as the TrustMail Certificates can be manually published to the Global Address Book (by using the Publish to GAL button in Tools | Options | Security).

Internet directory service (LDAP)
External directory services, certificate authorities, or other certificate providers can publish their users' certificates through an LDAP directory service. Outlook 2003 allows access to these certificates through LDAP directories.



Windows file
Components for your digital ID can be stored on your computer. You export your digital ID to a file by using Import/Export in Tools | Options | Security. You can encrypt the file when you create it by providing a password.



Importing digital IDs
You can import a digital ID from a file. This is useful, for example, if you want to send cryptographic e-mail messages from a new computer you have just begun using. Each computer from which you send cryptographic e-mail messages must have your certificates installed. You import digital IDs from a file by using Import/Export in Tools | Options | Security.
 

 

 


Renewing keys and certificates


A time limit is associated with each certificate and private key. When the keys given by the Microsoft Exchange Key Management Server or another certificate authority approach the end of the designated time period, Outlook displays a warning message and offers to renew the keys. Outlook prompts the user, offering to send the renewal message to the server or to the CA on each user's behalf.

If users do not choose to renew a certificate before it expires, they must contact the certificate authority to renew the certificate.

Web Trust Compliant