Migrating from Previous Versions of Exchange Key Management Server

  • Article

 

Unlike previous versions of Exchange, there is no Key Management Server in Exchange 2003. Exchange can use any PKI that provides support for S/MIME version 3, including Windows Server 2003 Certificate Services as well as those PKIs offered by third parties. The support for standards-based PKIs eliminates the need for Exchange to provide any digital certificate handling.

When customers who are running Key Management Server are planning an upgrade to Exchange 2003, they should include specific planning related to upgrading from Key Management Server. Windows Server 2003 provides an upgrade path for customers who currently run Key Management Server on Exchange Server 5.5 and Exchange 2000 Server. Customers who want to retain their existing investment in Key Management Server should plan to include a specific upgrade path from their current Key Management Server to Windows Server 2003 CA.

Warning

Using previous versions of Key Management Server to provide certificate handling in Exchange 2003 is not recommended. Microsoft has not performed extensive testing of Exchange 2003 with Key Management Server in Exchange 2000 Server and Exchange Server5.5. Customers may experience unexpected results when using Key Management Server with Exchange 2003.

For information about migrating from Key Management Server to Windows Server 2003 CA, see "Key Archival and Management in Windows Server 2003." The information in the following sections augments this online article and provides information about migration paths and options based on the version of your existing Exchange implementation.

Exchange Server 5.5 Key Management Server

The Key Management Server with Exchange Server 5.5 provided support for S/MIME version 1 digital certificates only. The certification authority (CA) provided as part of the Key Management Server issued these certificates. With Exchange 5.5 Service Pack 1 (SP1), support was added to enable Exchange to use S/MIME version 3 digital certificates. These certificates were actually issued by Windows 2000 Server CA.

Upgrade paths differ based on whether the existing certificates are S/MIME version 1 or S/MIME version 3. Determine the version of S/MIME certificate currently in use, and then perform the steps in one of the following sections.

Upgrading S/MIME Version 1 Certificates

Because of the differences between S/MIME version 1 and version 3 certificates, they cannot be upgraded. The following is the recommended upgrade path.

  1. Implement a new S/MIME version 3 installation using Windows Server 2003 CA as part of the Exchange 2003 deployment.

  2. Revoke and export the S/MIME version 1 certificates from Exchange 5.5 Key Management Server.

  3. Import the certificates into Windows Server 2003 CA.

This sequence of events ensures that users can read mail that was encrypted using an S/MIME version 1 certificate by making the certificate available as a foreign certificate within the CA.

An upgrade from Exchange 5.5 Key Management Server using S/MIME version 1 certificates to Windows Server 2003 CA is like a new implementation of Windows Server 2003 CA.

The following is the recommended sequence in this upgrade path.

  1. Export each user's Exchange Server 5.5 Key Management Server certificate to an .epf file using Outlook.

  2. Ensure that the Windows Server 2003 CA in the new forest has been configured for key archival and to accept keys archived from other authorities.

  3. Import the Exchange Server 5.5 Key Management Server certificate.

  4. Issue a new digital certificate from the Windows Server 2003 CA in the new forest.

  5. After all users have been migrated from Exchange 5.5, retire the old Key Management Server.

For information about how to revoke a user's certificate in Exchange 5.5 Key Management Server, see Exchange Server 5.5 Key Management Server Help. For information about how to export a certificate to an .epf file using Outlook, see Outlook Help and the Office Resource Kit. For information about how to import an archived key, see "Key Archival and Management in Windows Server 2003."

By following this path, you ensure that users can use S/MIME version 3 certificates in Exchange 2003 issued by the Windows Server 2003 CA in the new Active Directory forest, and you ensure that users can read mail that was encrypted using S/MIME version 1 certificates.

Upgrading S/MIME Version 3 Certificates

When using S/MIME version 3 certificates with Exchange Server 5.5, you can upgrade the certificates to Windows Server 2003 using Exchange 2000 Key Management Server. After you upgrade to Exchange 2000 Key Management Server, you can then use the established upgrade path from Exchange 2000 Key Management Server to Windows Server 2003 CA that is detailed in "Key Archival and Management in Windows Server 2003."

Important

When migrating to Windows Server 2003 CA from Exchange Server5.5 Key Management Server using Exchange 2000 Key Management Server, it is recommended that you install Exchange 2000 Server on the server that will be used for the Key Management Server migration before installing Exchange Server 2003 on any servers.

Note

Otherwise, if you install Exchange 2000 Server into an existing Exchange 2003 organization, Exchange 2000 Setup will reset some permissions. Install Exchange 2000, and then install Exchange 2003 to ensure that this is not an issue.

Note

For more information, see Microsoft Knowledge Base article 822576, "The 'Allow Create Top Level Public Folder' Access Control Entry for the Exchange Organization Container Unexpectedly Includes the Everyone and the Anonymous Logon Groups."

For the recommended sequence for migrating S/MIME version 3 certificates in Exchange 5.5 Key Management Server, see "Key Archival and Management in Windows Server 2003." For information about migrating from Exchange 5.5 Key Management Server to Exchange 2000 Key Management Server, see Exchange 2000 Help. For information about migrating from Exchange 2000 Key Management Server to Windows Server 2003 CA, see the following section.

Exchange 2000 Key Management Server

Customers who use S/MIME version 3 certificates either with Exchange Server 5.5 or Exchange 2000 Key Management Server will use the Exchange 2000 Key Management Server migration process to move S/MIME certificates to Windows Server 2003 CA. For comprehensive information about how to perform this migration, see "Key Archival and Management in Windows Server 2003." The following information provides clarification regarding Exchange-specific steps.

Note

Digital certificates issued by Windows Server 2003 CAs use a different cryptographic service provider (CSP) than those issued by Exchange 2000 Key Management Server. One difference between these two types of digital certificates is how each handles private key protection. Digital certificates issued by Exchange 2000 Key Management Server require a password any time the private key is used, although users can choose to cache this password for some length of time. Digital certificates issued by Windows Server 2003 CAs rely on the Windows client to provide a measure of protection to the private key. Specifically, the user's private key is protected by the user's logon credentials. Users cannot access their private key without first being authenticated with a valid Windows logon. Administrators can choose to augment this protection with a redundant layer of authentication by requiring a password when the private key is used. This is accomplished by making changes to the template used to generate S/MIME certificates. For more information, see "Implementing and Administering Certificate Templates in Windows Server 2003."

When you migrate from Exchange 2000 Key Management Server to Windows Server 2003, it is recommended that you upgrade using the following sequence:

  1. Ensure that your Active Directory forest is upgraded to at least Windows 2000 Service Pack 3 (SP3).

    Note

    If you plan to use autoenrollment and key archival, and your Active Directory forest is not running Windows Server 2003, you must extend the schema in the forest to accommodate these features. For more information, see "Best Practices for Implementing a Microsoft Windows Server 2003 Public Key Infrastructure."

  2. Upgrade all Exchange 2000 servers to Exchange 2003 except for the Exchange 2000 Key Management Server. Continue running Exchange 2000 while you perform the following tasks.

  3. Install Windows Server 2003 CAs to the Active Directory forest.

    Note

    When you install Windows Server 2003 CAs as part of an Exchange 2000 Key Management Server migration, you should not upgrade your existing Windows 2000 Server CAs. You need those CAs to be available for the export process in the following tasks.

  4. Configure autoenrollment on Windows Server 2003 CAs to enroll all users in domains with digital certificates. For more information, see "Certificate Autoenrollment in Windows Server 2003."

  5. Export digital certificates issued by Exchange 2000 Key Management Server. For more information, see "Key Archival and Management in Windows Server 2003."

    Note

    Exporting the digital certificates automatically revokes them.

  6. Import digital certificates issued by Exchange 2000 Key Management Server into Windows Server 2003 CA. For more information, see "Key Archival and Management in Windows Server 2003."

  7. Retire Exchange 2000 Key Management Server.

If your migration from Exchange 2000 to Windows Server 2003 includes moving users to a new forest, you should first revoke the user certificates and import them as foreign certificates into the destination Active Directory forest because Key Management Server was not designed to operate in cross-forest scenarios. Attempting to continue using the Exchange 2000 Key Management Server certificate after moving the user's mailbox to a new forest can lead to difficulties in verifying digital signatures and other unpredictable results. By revoking, exporting, and importing the original certificate, you ensure that mail that was encrypted using the old certificate can still be read.

When moving a user as part of a migration from Exchange 2000 Key Management Server, it is recommended that you upgrade in the following sequence:

  1. Ensure that your Active Directory forest is upgraded to at least Windows 2000 SP3.

  2. Upgrade all Exchange 2000 servers to Exchange 2003 except for the Exchange 2000 Key Management Server. Continue running Exchange 2000 while you perform the following tasks.

  3. Install Windows Server 2003 CAs to the Active Directory forest.

  4. Ensure that the Windows Server 2003 CA in the new forest has been configured for key archival and to accept keys archived from other authorities.

  5. Configure autoenrollment on Windows Server 2003 CA to enroll all users in domains with digital certificates. For more information, see "Certificate Autoenrollment in Windows Server 2003."

  6. Export digital certificates issued by Exchange 2000 Key Management Server. For more information, see "Key Archival and Management in Windows Server 2003."

    Note

    Exporting the digital certificates automatically revokes them.

  7. Import digital certificates issued by Exchange 2000 Key Management Server into Windows Server 2003 CA. For more information, see "Key Archival and Management in Windows Server 2003."

  8. Retire Exchange 2000 Key Management Server.

When you follow these steps with the information provided in "Key Archival and Management in Windows Server 2003," you will successfully migrate your users and their digital certificates from Exchange 2000 Key Management Server to Windows Server 2003 CA.