microsoft.com Home  
Microsoft
http://www.microsoft.com/office/ork  
Using Security Features in Outlook

Working with Security Keys and Certificates

Occasionally, you must renew, import, or export a set of security keys and digital certificates. For example, you might need to change computers and take your Digital ID (the combination of your certificate and private encryption key) with you, or you might need to get someone’s public security key in order to send them encrypted e—mail messages. Outlook provides ways to manage your security keys and certificates so that you can keep your e-mail messages secure.

Your Digital ID includes your digital certificate and public and private key set. Components for your Digital ID are stored in the Windows registry on your computer. The key set is encrypted using a password that you supply. If you use more than one computer, you must copy your Digital ID to each computer that you use.

Tip   Make a copy of your Digital ID for safekeeping. You can protect the file that contains the copy by encrypting it and by using a password.

Top

Storing digital certificates

Certificates can be stored in three locations:

Microsoft Exchange Global Address Book

Users who enroll in Exchange Advanced Security have their certificates stored in the Global Address Book. In Internet Only mode, users can open the Global Address Book by using the LDAP provider. In Corporate/Workgroup mode, however, users must use the Exchange MAPI provider to gain access to certificates in the Global Address Book.

The Exchange MAPI provider does not support certificate access to any LDAP provider. Only certificates generated by Microsoft Exchange Server Advanced Security or by Microsoft Exchange Key Management Server are published in the Global Address Book. Externally generated certificates are not published to the Global Address Book.

LDAP directory service

External directory services, certificate authorities, or other certificate servers may publish their users’ certificates through an LDAP directory service. Internet Only mode in Outlook 2000 allows access to these certificates through LDAP directories.

Windows registry

If a user imports another user’s certificate into Outlook 2000 (for example, by adding a contact or importing a file), the certificate is stored in the registry. It cannot be shared or published to a directory service directly.

Top

Obtaining other users’ certificates

In order to exchange secure e-mail messages with another user, you must have that user’s public key. You gain access to the public key through the user’s certificate. There are three ways to obtain another user’s certificate:

Obtaining a certificate from a digitally signed e-mail message

When you receive a signed message from someone whose certificate you want to save, you can right-click the sender’s name on the To line and then click Add to Contacts. The address information is saved in your Contacts, and the sender’s certificate is saved in the registry.

Note   If you export a contacts list, the corresponding certificates are not included. You must add the certificates from a received e-mail message on each computer that you use.

Obtaining a certificate from a directory service

When you use Internet Only mode with a standard LDAP server, you can automatically retrieve another user’s certificate from an LDAP directory when you send an encrypted e-mail message. You must be enrolled in S/MIME security and you must have a Digital ID for your e-mail account.

When you use Corporate/Workgroup mode with Microsoft Exchange Server, you can obtain certificates from the Global Address Book. You must be enrolled in Exchange Advanced Security.

Obtaining a certificate from a file

You can request that another user export a certificate to a file. To import a certificate for another user, click the Import/Export Digital ID button on the Security tab in the Options dialog box (Tools menu). You can also use the Import button on the Certificates tab in a contact item in your Contacts folder.

Top

Renewing keys and certificates

A time limit is associated with each certificate and private key. When the keys given by the Microsoft Exchange Key Management Server approach the end of the designated time period, Outlook displays a warning message and offers to renew the keys. Outlook sends the renewal message to the server on your behalf.



Topic Contents   |   Previous   |   Next   |   Top

Friday, March 5, 1999
© 1999 Microsoft Corporation. All rights reserved. Terms of use.

License