How users manage cryptographic digital IDs in Outlook 2007
Updated: April 9, 2009
Applies To: Office Resource Kit
Topic Last Modified: 2009-04-03
Microsoft Office Outlook 2007 provides ways for users to manage their digital IDs—the combination of a user's certificate and public and private encryption key set. Digital IDs help to keep users' e-mail messages secure by letting them exchange cryptographic messages. Managing digital IDs includes:
Obtaining a digital ID. For more information about how users can acquire a digital ID, see the Outlook Help topic Get a Digital ID.
Storing a digital ID, so you can move the ID to another computer or make it available to others.
Providing a digital ID to others.
Exporting a digital ID to a file. This is useful when the user is creating a backup or moving to a new computer.
Importing a digital ID from a file into Outlook. A digital ID file might be a user's backup copy or might contain a digital ID from another user.
Renewing a digital ID that has expired.
A user who performs cryptographic messaging at more than one computer must copy his or her digital ID to each computer.
Digital IDs can be stored in three locations:
The Microsoft Exchange Global Address Book
A Lightweight Directory Access Protocol (LDAP) directory service
A Microsoft Windows file
Users who enroll in Exchange Advanced Security store their certificates in their organization's Global Address Book. Alternatively, users use their LDAP provider to open the Global Address Book.
Only certificates generated by Microsoft Exchange Server Advanced Security or by Microsoft Exchange Key Management Server (KMS) are automatically published in the Global Address Book. Externally generated certificates can be manually published to the Global Address Book by clicking the Publish to GAL button in the Trust Center under the Tools menu option.
External directory services, certificate authorities, or other certificate providers can publish their users' certificates through an LDAP directory service. Outlook allows access to these certificates through LDAP directories.
Digital IDs can be stored on users' computers. Users export their digital ID to a file by using the Import/Export option in the Trust Center under the Tools menu option. They can encrypt the file when they create it by providing a password.
In order for a user to exchange cryptographic e-mail messages with another user, they must have each other's public key. Users provide access to their public key through a certificate. There are several ways to provide a digital ID to others; for example, users can:
Use a certificate to digitally sign an e-mail message.
Provide a certificate by using a directory service, such as the Microsoft Exchange Global Address Book.
A user provides his or her public key to another user by composing an e-mail message and digitally signing the message by using a certificate. When Outlook users receive the signed message, they right-click the user's name on the From line and click Add to Contacts. The address information and the certificate are saved in the Outlook user's contacts list.
Another alternative is for a user to automatically retrieve another user's certificate from an LDAP directory on a standard LDAP server when he or she sends an encrypted e-mail message. To gain access to a certificate this way, users must be enrolled in S/MIME security with digital IDs for their e-mail accounts.
A user can also obtain certificates from the Global Address Book. To do this, the user must be enrolled in Microsoft Exchange Server Advanced Security.
Users can import a digital ID from a file. This is useful, for example, if a user wants to send cryptographic e-mail messages from a new computer. Each computer from which the user sends cryptographic e-mail messages must have the user's certificates installed. Users import digital IDs from a file by using the Import/Export option in the Trust Center under the Tools menu option.
A time limit is associated with each certificate and private key. When the keys provided by the Microsoft Exchange Key Management Server approach the end of the designated time period, Outlook displays a warning message and offers to renew the keys. Outlook prompts the user, offering to send the renewal message to the server on each user's behalf.
If users do not choose to renew a certificate before it expires, or if they use another certificate authority rather than KMS, the user must contact the certificate authority to renew the certificate.
This topic is included in the following downloadable books for easier reading and printing:
See the full list of available books at Office Resource Kit information.