Lesson 4: Deploying S/MIME Certificates
Digitally signing and encrypting e-mail is one of the primary reasons for deploying a PKI, and it is the only way to truly secure e-mail from forgery and sniffing attacks. Creating and deploying S/MIME certificates that are compatible with a wide range of e-mail clients is a key feature of Windows 2000 Certificate Services.
Request and issue S/MIME certificates
Send digitally signed e-mail from Microsoft Outlook Express
How S/MIME Certificates Are Used
While standard Windows 2000 user certificates allow users to digitally sign and encrypt e-mail from Outlook, many third-party e-mail clients as well as Outlook Express require specially formatted S/MIME certificates that contain the user's e-mail address in the identity field. This requirement exists as a way to foil attempts to forge certificates that claim to be from a certain user but specify return e-mail addresses other than the user's legitimate e-mail address.
Because users' identities in a domain have been certified by their logging on, an embedded e-mail address is not required in a user certificate to certify that they are who they say they are. This requirement makes standard user certificates from an enterprise CA inappropriate for use in e-mail applications that don't trust domain log on.
Enterprise CAs cannot issue S/MIME certificates because enterprise user certificates are optimized to acquire all their information directly from the system and to be issued automatically without user or administrative intervention. Because e-mail addresses are not stored by default in Active Directory, enterprise CA certificates do not necessarily contain all the information in the certificate that some e-mail clients require. Outlook is optimized to work with enterprise CA issued user certificates, but most other e-mail clients, including Outlook Express, are not.
Stand-alone CAs are capable of producing S/MIME certificates that will work in all X.509 compliant e-mail clients by using the S/MIME certificate template and providing an interface through the CertSrv Web site that allows users to enter their e-mail addresses. To request these types of certificates, you must have a stand-alone CA configured to issue certificates using the S/MIME certificate template.
Troubleshooting S/MIME Deployment
If your e-mail client will not successfully import a certificate, the certificate does not conform to the e-mail client's requirements for S/MIME certificates. The most likely cause for this is that the e-mail client requires the Identity field of the certificate to contain the user's e-mail address, and the user certificate either does not contain it or the e-mail address doesn't match the configured address in the client.
Remember that you can create "e-mail only" S/MIME certificates that conform to embedded e-mail address requirements only from a stand-alone CA. However, enterprise CAs can create user certificates that can be used by some e-mail clients, including Outlook, to sign and encrypt e-mail messages.
Practice: Sending Digitally Signed E-mail
In this practice, you will configure Outlook Express for a user, request an S/MIME certificate appropriate for use in Outlook Express, install that certificate, and use it to digitally sign an e-mail message. This practice requires access to the stand-alone subordinate CA created in Chapter 5, "Certificate Authorities" and will not work correctly if you attempt to use an enterprise CA. It also requires access to the Windows 2000 Professional workstation from which the user will actually send and request e-mail messages.
Because the Outlook Express configuration depicted in this practice refers to a fictitious e-mail server, Outlook Express will warn that it cannot find the e-mail server at each attempted connection. For the purposes of this exercise, actually transmitting e-mail is not necessary, so these warnings can be ignored. You may elect to configure Outlook Express using your actual e-mail credentials if you'd like to see the process complete without errors.
To configure Outlook Express
Log on to the client workstation as user Pilar Ackerman, user name packerman.
Click Start, point to Programs, and then click Outlook Express. If the Internet Connection Wizard appears continue with step 5.
If the Internet Connection Wizard does not appear, choose Accounts from the Tools menu. The Internet Accounts dialog box appears.
In the Internet Accounts dialog box, click Add, and choose Mail. The Internet Connection Wizard appears.
Type Pilar Ackerman as the Display Name, and press Enter.
Type packerman@fabrikam.com in the E-mail Address box, and press Enter.
Type mail.Fabrikam.com in the Incoming Mail Server box.
Type mail.Fabrikam.com in the Outgoing Mail Server box.
Type packerman in the Account Name box.
Click Next, and then click Finish.
If you opened the Internet Accounts dialog box in step 3, click Close to close the dialog box. Outlook Express is now configured and ready to use.
To verify that no S/MIME certificate is installed
Perform this procedure on the workstation logged on as user packerman.
In Outlook Express, click New Mail. The New Message window opens.
Type sabbas@fabrikam.com in the To box.
Type Test Message in the Subject box.
Type Test as the body of the message.
Click the Sign button in the toolbar, as shown in Figure 6.25.
Figure 6-25. Digitally signing e-mail in Outlook Express
Click Send. A dialog box appears stating that you cannot send digitally signed messages because you do not have a digital ID for this account.
Click Cancel, and close the e-mail message. Click No when asked to save changes.
Close Outlook Express.
To request an S/MIME certificate
Perform this procedure on the workstation logged on as user packerman.
Open Internet Explorer.
Browse to http://ms02/certsrv/.
The Microsoft Certificate Services Web site appears.
You must browse to the CA configured as a stand-alone subordinate server. You cannot request S/MIME certificates appropriate for use in Outlook Express from an enterprise CA. However, the user certificate from an enterprise CA is appropriate for use in standard Outlook.
Select Request A Certificate, and click Next. The Request Type page appears.
Select E-Mail Protection Certificate, and then click Next. The E-Mail Protection Certificate Identifying Information window appears, as shown in Figure 6.26.
Figure 6-26. Requesting an S/MIME certificate
Type Pilar Ackerman in the Name box.
Type packerman@fabrikam.com in the E-Mail box.
Click Submit. The Certificate Pending page appears.
Close Internet Explorer.
To issue the certificate
Perform this procedure on the stand-alone subordinate CA server.
Open the Certification Authority management console.
Expand Fabrikam Web SSL and S/MIME Certifier, and select Pending Requests. A list of pending certificate requests appears in the management console.
Right-click the certificate with the Request Common Name of Pilar Ackerman, point to All Tasks, and then click Issue.
Close the management console.
To install the issued certificate
Perform this procedure on the workstation logged on as user packerman.
Open Internet Explorer and browse to http://ms02/certsrv. The Microsoft Certificate Services Web site appears.
Select Check On A Pending Certificate, and click Next.
Select the E-Mail Protection Certificate, and click Next. The Certificate Issued dialog box appears.
Click Install This Certificate.
From the Tools menu, choose Internet Options. The Internet Options dialog box appears.
Click the Content tab, and then click the Certificates button.
Double-click the Pilar Ackerman certificate. The Certificate dialog box appears, containing information about the issued certificate.
Verify the certificate's uses.
Close all of the dialog boxes and the Web browser.
To send digitally signed e-mail messages
Open Outlook Express. If an error message appears stating that mail.Fabrikam.com cannot be reached, click Hide.
Click New Mail. An empty e-mail message window appears.
Type sabbas@fabrikam.com in the To box.
Type Test Message in the Subject box.
Type Test as the body of the message.
Click the Sign button.
Click Send.
Click Outbox. Notice that the e-mail is transferred to the outbox with a digital signature.
You cannot encrypt e-mail to a recipient until you receive a digitally signed e-mail message from that person containing a public key. The key is added to your e-mail client's key store and can encrypt future e-mail messages to that person.
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
Why can't you use user certificates in many e-mail clients to sign and encrypt e-mail?
Why is an e-mail address usually required in the Identity field of an S/MIME certificate?
Why don't user certificates contain e-mail addresses?
Why does Outlook accept user certificates if they don't contain an e-mail address?
Lesson Summary
S/MIME certificates are required to sign and encrypt e-mail messages for S/MIME-compliant e-mail clients such as Outlook, Outlook Express, and most other independent software vendor e-mail programs. Most of these packages require the Identity field to be set to the e-mail address configured in the user settings.
The user certificate template can be used as an S/MIME certificate for e-mail programs that don't require the e-mail address to be configured in the certificate's Identity field, such as Outlook. For all other e-mail applications, you must use S/MIME certificates generated from the S/MIME template. The S/MIME template runs only on a stand-alone CA and asks users for their e-mail addresses to embed in the certificate's Identity field.
You must use a stand-alone CA to generate S/MIME certificates for most e-mail clients. If you use Outlook, you can use an enterprise CA to generate user certificates that will work as S/MIME certificates.