| Encrypted email communications is simply done through the implementation of autoenrollment of certificates for email that are issued to users via Group Policy. Email encryption can be automated to the point where users are effectively issued certificates, the certificates are automatically installed, and the user can immediately begin to send and receive messages using encrypted communications. If you have completed the steps at the very beginning of this text for the autoenrollment of certificates for a user, the certificate will automatically work for Exchange Outlook encryption. To validate that the certificate has installed, simply do the following: 1. | Launch Microsoft Outlook email.
| 2. | Select Tools | Options, and then click on Security tab.
| 3. | Click on Settings and My S/MIME Settings should automatically be configured for the user.
| 4. | Click OK, and then OK again, to exit.
|
With a certificate already issued for Outlook, users can begin to send and receive encrypted emails with other users in the organization. Specifically Configuring Exchange User Certificate Operations If you have not already set up an AutoEnroll User certificate template described in the "Configuring Autoenrollment of Certificates" section earlier in this text, or if you want to create an Exchange User certificate template independent of the user template, then you can complete the following process. To have certificates automatically installed for the Exchange users in Active Directory, do the following: 1. | On the certificate server you just created, launch the Certificate Template Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 2. | Click File | Add/Remove Snap-in, and then click Add.
| 3. | Select Certificate Templates, and then click Add.
| 4. | Click Close, and then click OK.
| 5. | Click on the Certificate Templates folder.
| 6. | Right-click on the Exchange User template and select Duplicate Template.
| 7. | For the Template display name, enter Autoenroll Exchange User.
| | | 8. | Make sure the Publish Certificate in Active Directory and the Do Not Automatically Reenroll options are both checked. The screen should look similar to Figure 23.
Figure 23. Creating an AutoEnroll Exchange User template. 
| 9. | Click on the Security tab.
| 10. | Highlight the Authenticated Users name and select the check boxes to Allow for Enroll and Autoenroll for the Authenticated Users. The result will have the Read, Enroll and the Autoenroll check boxes selected.
| 11. | Click OK.
|
Adding the Template to the Certificate Server After an AutoEnroll Exchange User template has been created, the template needs to be added to the certificate server and distributed to users. This is done by the following: 1. | Launch the Certification Authority Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 2. | Click File | Add/Remove Snap-in, and then click Add.
| 3. | Select the Certification Authority snap-in and then click Add. Assuming you are on the certificate server, select Local Computer, and then click Finish.
| 4. | Click Close, and then click OK.
| | | 5. | Expand the Certification Authority folder.
| 6. | Expand the folder for your certificate server.
| 7. | Right-click on the Certificate Templates folder and select New | Certificate Template to Issue.
| 8. | Highlight the AutoEnroll Exchange User template, and then click OK.
|
Note This step of adding the AutoEnroll Exchange User template you created earlier adds this new template to the certificate server. The AutoEnroll User template will allow user certificates to be issued automatically through Group Policy.
Creating a Group Policy to Distribute User Certificates The next step for autoenrollment is to create a group policy that can then distribute certificates to the users' laptops and desktops automatically. This is done by creating a group policy and having the group policy distribute the certificates created in the previous step. To create this group policy, do the following: 1. | Launch the Active Directory Users and Computers tool by selecting Start | Programs | Administrative Tools and choosing Active Directory Users and Computers.
| 2. | Right-click on the forest name of the network (such as companyabc.com) and choose Properties.
| 3. | Click on the Group Policy tab.
| 4. | Highlight the Default Domain Policy and click Edit.
| 5. | Under the User Configuration container, expand the Windows Settings folder.
| 6. | Expand the Security Settings folder and then click to select the Public Key Policies folder. You will see an Autoenrollment Settings object, as shown in Figure 24.
| 7. | Right-click the Autoenrollment Settings object and select Properties.
| 8. | Check the Renew Expired Certificates, Update Pending Certificates, and Remove Revoked Certificates option, as well as the Update Certificates That Use Certificate Templates option. Then click OK.
|
Figure 24. Expanding folders to access the Autoenrollment Settings object. 
Validating That Certificates Are Working Properly The autoenrollment of user certificates has now been configured for all users that log on to the domain. To validate that certificates are working properly, do the following: 1. | From a Windows XP workstation, log on to the domain.
| 2. | Launch the Certificates Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 3. | Click File | Add/Remove Snap-in, and then click Add.
| 4. | Select the Certificates snap-in and then click Add. Assuming you logged in as the user and you want to verify that certificates are working, choose My User Account, and then click Finish.
| 5. | Click Close, and then click OK.
| 6. | Expand the Certificates Current User folder.
| 7. | Expand the Personal folder and click to highlight the Certificates folder.
| 8. | You should have a Client Authentication certificate created by the AutoEnroll Exchange User certificate template, as shown in Figure 25.
|
Figure 25. Exchange User certificate added to the user's Certificates folder. 
If for some reason the Exchange User certificate has not pushed to the user's certificate container, you can easily add the certificate by doing the following: 1. | From a Windows XP workstation, log on to the domain.
| 2. | Launch the Certificates Microsoft Management Console (MMC) by clicking Start | Run and typing mmc.exe; then click OK.
| 3. | Click File | Add/Remove Snap-in, and then click Add.
| 4. | Select the Certificates snap-in and then click Add. Assuming you logged in as the user and you want to verify that certificates are working, choose My User Account, and then click Finish.
| 5. | Click Close, and then click OK.
| 6. | Expand the Certificates Current User folder.
| 7. | Expand the Personal folder, right-click the Certificates folder, and choose All Tasks | Request New Certificate; then click Next to begin the wizard.
| 8. | Highlight AutoEnroll Exchange User, and then click Next.
| 9. | Click Next through the Friendly Name and Description page.
| 10. | Click Finish.
|
Making Sure Outlook Acknowledges the Certificate After autoenrollment has issued a certificate to the user, and the user has confirmed that the certificate has been successfully received, you can confirm that Microsoft Outlook recognizes the certificate for encrypted communications. To do so, do the following: 1. | Launch Outlook.
| 2. | Choose Tools | Options, and then click on the Security tab.
| 3. | Click the Settings button.
Note that under Security Settings Name is the email certificate that will enable you to send and receive encrypted communications.
| 4. | Click OK and then OK again to continue.
|
Sending a Digitally Signed Email With the email certificate installed, you can now begin the process of sending and receiving encrypted emails. However, to complete the process, you need to communicate with someone who also has a certificate to send and receive encrypted emails. Email encryption requires both the sender and the receiver to have valid certificates. The easiest process for setting up encrypted email communications is to send a user a digitally signed email with a copy of your public key certificate attached. With a digitally signed email and a copy of your public key, the recipient can then add your certificate to his address book, and then he can reply to the message by sending you his public key. After you have exchanged public keys, you can send and receive encrypted emails. The process for sending a person a digitally signed email with your public key is as follows: 1. | Launch Outlook.
| 2. | Create a new email by selecting Action | New Mail Message.
| 3. | Enter the email address of the recipient with whom you want to communicate in the To field, and enter a subject such as Initial Email for Secured Communications.
| | | 4. | For the body of the message, you might want to enter the following text: Here is an email message that will help us initiate secured communications. I am attaching a copy of my certificate for you to install; please reply to the message with a copy of your certificate.
Note Writing a message in the body of the email might not be necessary. However, in this day and age of spam filters, sometimes if you just send a message with your digital signature and an attachment of your public key, the message will be quarantined in the recipient's spam filter. So you are best off writing a few words to describe what you are doing as part of the message. | 5. | Click on the Options button and then click on the Security Settings button.
| 6. | Select the Add Digital Signature to This Message option and then select Send This Message As Clear Text Signed, as shown in Figure 26.
Figure 26. Security properties for sending an initial secured message. 
| 7. | Click on the Change Settings button and make sure the Send These Certificates with Signed Message check box has been selected so that your certificate is sent with the message, and then click OK.
| 8. | Click OK, and then click Close.
| 9. | Click Send to send the message.
|
Your message will now be sent to the recipient with a copy of your key in a digitally signed email message. When the recipient opens the message, he will likely get an error that says, "There are problems with the signature. Click the signature button for details," as shown in Figure 27. This message is displayed because the certificate being received is from a domain that has not communicated in a secured or encrypted manner in the past. Figure 27. Initial receipt of a digitally signedbut not trustedmessage. 
If the recipient wants to confirm that you indeed sent the message and he can trust your certificate, he should do the following: 1. | Click on the yellow warning icon on the right side of the email message. A notice will appear, as shown in Figure 28.
Figure 28. Certificate of Authority warning. 
| | | 2. | Click on Trust.
| 3. | A warning prompt will appear about trusting the sender. Click Yes to accept the trust.
| 4. | Close and then reopen the email. There should no longer be an error, and the digital signature will be confirmed.
|
Your certificate has now been installed on the recipient's system, but now he needs to send you his certificate so you can follow the exact same procedures to install his certificate on your system. The recipient should follow the procedure described in "Sending a Digitally Signed Email," with you accepting his message and trusting his certificate. Sending Encrypted Email Messages After you have exchanged certificates, you can now send and receive fully encrypted email messages with another individual. To do so, do the following: 1. | Launch Outlook.
| 2. | Create a new email by selecting Action | New Mail Message.
| 3. | Enter the email address of the recipient with whom you want to communicate in the To field, and enter a subject such as Encrypted Email Message.
| 4. | For the body of the message, you might want to enter text such as Here is an email message that should now be encrypted. Please let me know if you successfully receive this message.
| 5. | Click on the Options button and then click on the Security Settings button.
| 6. | Select Encrypt Message Contents and Attachments, click OK, and then click Close.
| 7. | Click Send to send the message.
|
The recipient will receive an encrypted copy of your message. This process not only works with Microsoft Outlook within an organization, but works the same way when you want to send and receive encrypted messages to individuals outside of your organization. If they are also running Outlook 2003, the process for them to install your certificate into their address book is the same as described previously. If they are using a different email system, they might need to detach the certificate, save it, and manually save the certificate into their address books. |
