Testing Digital Signatures and Encryption
Topic Last Modified: 2005-05-19
With the CA installed and configured, the Exchange server installed and configured, and, finally, the e-mail clients installed and configured, you can begin testing.
The first step in testing is to obtain a digital certificate for each of your test users. Because S/MIME relies on digital certificates, you must obtain a digital certificate to use S/MIME. This section will help you obtain digital certificates for your test accounts from the Windows Server 2003 CA, and then step you through using those certificates to send and receive digitally signed and encrypted e-mail messages using the e-mail clients that you have configured.
|The following section provides instructions about how to obtain digital certificates for users using either Web-based enrollment or the Microsoft Management Console (MMC) Certificates snap-in. In addition to these options, it is possible to configure Windows Server 2003 CA to automatically enroll users for digital certificates. Because of the configuration required to enable this feature, discussion of this feature is beyond the scope of this section. However, it is recommended that this feature be used in a production environment because of the ease of use it provides to users. For information about configuring autoenrollment, see "Certificate Autoenrollment in Windows Server 2003."|
Because digital certificates are specific to individual users and are stored as part of the user profile on the local workstation, you need to obtain a digital certificate for each user. There are two ways you can obtain a digital certificate for a user. You can either request one through the MMC Certificates snap-in or use a Web browser. For detailed steps, see:
After performing the above procedures, the digital certificate for the user is installed in the local certificate store. To verify that the certificate is there, open the local certificate store by using MMC. For detailed steps, see How to Verify That a Certificate Has Been Installed.
When you request a digital certificate using either the MMC or the Web enrollment form, the Windows CA automatically stores the user's digital certificate in Active Directory. Both Outlook and Outlook Web Access retrieve digital certificates that are stored in Active Directory. For those S/MIME operations where you must have a copy of the other party's digital certificate (specifically when sending encrypted e-mail messages to another party or verifying e-mail messages that have been digitally signed by another party), Outlook Web Access and Outlook can retrieve those digital certificates for you.
For detailed steps, see How to Verify That a Digital Certificate Has Been Added to a User's Active Directory Account.
|Although the certificate in the certificate store and the certificate in Active Directory look identical, there is an important difference between these two certificates. The certificate in Active Directory stores a copy of only the user's public key, and the certificate in the personal store has a private key in addition to the public key.|
Before you use your digital certificate to sign messages in Outlook, you must configure Outlook to use the digital certificate that you just installed. Because this information is stored on a per-user basis, you will need to configure each of your test user accounts. For detailed steps, see How to Configure Outlook to Use a Digital Certificate.
|After you configure these settings, the Add digital signature to this message button and Encrypt message contents and attachments button are automatically added to the new mail message form when Word is enabled as the e-mail editor. In Outlook 2003, Microsoft Office Word 2003 is enabled as the e-mail editor by default, and these settings make these buttons visible by default. If you do not use Word as the e-mail editor, you will not see these buttons by default. To make these buttons appear, you can re-enable Word as the e-mail editor or customize the Outlook e-mail editor. For information about how to make these changes, see Outlook 2003 Help.|
After Outlook is configured to use the digital certificate you installed for this user, you can test sending and receiving digitally signed and encrypted messages. For detailed steps, see the following:
After you complete these procedures, you will have tested all elements of using S/MIME in Outlook 2003. This information lets you see how an S/MIME system that uses Outlook will function for your users.
Using S/MIME in Outlook Web Access is similar to using S/MIME in Outlook. In both cases, the e-mail client uses digital certificates from the local certificate store (which you viewed using MMC) and from Active Directory (which you viewed using Active Directory Users and Computers). Because of these similarities, users who are familiar with using S/MIME in Outlook should be able to transfer this knowledge to Outlook Web Access. For detailed steps, see the following procedures:
After you complete these procedures, you will have tested all elements of using S/MIME in Outlook Web Access. This information lets you see how an S/MIME system that uses Outlook Web Access will function for your users.
Unlike Outlook and Outlook Web Access, Outlook Express does not automatically use Active Directory to locate another user's e-mail addresses and digital certificates. Instead, Outlook Express uses the Microsoft Windows Address Book. You can access information in Active Directory by using the search feature in Outlook Express, which is automatically configured to look up information in Active Directory. As an alternative, you can also populate the Windows Address Book with information about recipients before you send an e-mail message to them using Outlook Express. For detailed steps see the following procedures:
After you complete these procedures, you will have tested all elements of using S/MIME in Outlook Express. This information lets you see how an S/MIME system that uses Outlook Express will function for your end-users.