The emphasis on network security these days points to one area you should consider: using a certificate to encrypt SMTP traffic on your Exchange Server. Because e-mail is a critical and pervasive business tool, you should take steps to prevent competitors from intercepting information about your business by reading e-mails sent by your employees. Here’s how you can create a certificate authority, and how to configure Exchange to use that certificate authority for SMTP encryption.
Acquiring a digital certificate
Before you can integrate a certificate into Exchange Server, you must first acquire a certificate from a certificate authority. You can either lease a certificate from a third-party certificate authority, such as VeriSign, or you can create your own certificate authority.
If you lease a certificate through VeriSign, it can get a little pricey. A 40-bit certificate will cost you $349 for the first year or $598 for two years. If you want a 128-bit certificate, the price goes up to $895 for the first year and $1595 for two years. The main advantage to leasing a certificate from VeriSign is recognition. For example, if you had a publicly accessible Web site, then your customers would probably have more faith in the site’s security if you post the VeriSign logo. You also have the advantage of knowing that VeriSign goes to extreme measures to protect the certificates that they issue.
If you don’t want the expense of a VeriSign certificate, you can easily create your own certificate authority using a Windows 2000 Server. If you decide to create your own certificate authority, it’s critically important that you use a server that isn’t directly accessible through the Internet. In other words, don’t make your Exchange Server or your Web server a certificate authority. It’s also extremely important that you keep the certificate authority up to date with all of the latest security patches.
Creating a certificate authority
Before you begin creating an enterprise certificate authority, keep in mind that you must carefully choose the server that you will use for this operation. Building an enterprise certificate authority is a semi-permanent operation, which you shouldn't take on lightly. For more information about Certificate Services, see the Daily Drill Down, “Learn the concepts behind Certificate Services for Windows 2000.”
Begin by opening the Control Panel and double-clicking on the Add / Remove Programs icon to launch the Add / Remove Programs dialog box. Click the Add Remove Windows Components button to launch the Windows Components Wizard. The wizard’s initial screen contains a list of the various components that you can install. Select the Certificate Services check box from the component list. At this point, you’ll see a warning message indicating that after installing the certificate services, the computer can’t join or be removed from a domain. Click Yes to continue.
At this point, make sure that the certificate services component is selected and click the Details button. When you do, you’ll see that there are two different components included in the certificate services. The first component is the Certificate Services CA. This component takes care of the basic tasks involved in creating a certificate authority. The other component is the Certificate Services Web Enrollment Support. This optional component provides you with the ability to create a Web page that’s capable of submitting requests and retrieving digital certificates. Select the desired options and click OK. For the purposes of working with Exchange Server, you will want to use both components.
At this point, you’ll be returned to the main component list. Click Next, and you’ll see a screen that asks you to choose the type of certificate authority that you want to create. The choices are:
- Enterprise Root
- Enterprise Subordinate
- Stand Alone Root
- Stand Alone Subordinate
Select the Enterprise Root option. This screen also contains an Advanced Options check box. If you select this check box, you’ll have a chance to select the encryption algorithms that you want to use. It isn’t necessary to use the Advanced Options, but I’ll walk you through them just in case you want to use them. Click Next to continue.
After choosing the Advanced Options, you’ll see a dialog box containing several options. The first option in this dialog box asks you to choose the CSP or Cryptographic Service Provider. By default, Microsoft Base Cryptographic Provider v1.0 is selected, but you can select a different provider if another one better suits your needs. Next, you must select the hash algorithm. Both MD4 and MD5 have known weaknesses, so I recommend sticking with the default value of SHA-1.
At this point, you’ll need to select your encryption key length. The default value is 1024 bits. You can go all the way up to 4096 bits, but keep in mind that some non-Microsoft encryption services can’t handle values above 1024.
Below the Key Length drop-down list is a Use Existing Keys check box. You can use this check box along with the window below it and the Import button to use keys that you’ve previously used. If this is your first certificate server, or you don’t want to use your old keys, don’t worry about this option. Click Next to continue.
At this point, you’ll be asked to enter some information to identify the certificate authority. This information includes things such as the organization that the certificate authority services and some basic contact information. As you enter the identification information, keep in mind that you should avoid using special characters such as ^&*( and . because the information that you enter will be encoded in Unicode format, and some applications may have trouble decoding special characters.
Another option on this portion of the wizard allows you to set the date the certificates expire. The default period is two years, but you can adjust it to meet your needs.
Now, just kick back and relax for a while as the wizard generates your encryption keys. When the process completes, you’ll be asked where you want to place the certificate database and database logs. This is the location where the certificate authority’s certificates will be stored. As I said earlier, choose a location that gets backed up regularly. There are also two other important options on this screen of which you need to be aware.
First, you might have noticed a check box labeled Store Configuration Information In A Shared Folder. You can use this option in situations where the Active Directory isn’t being used. Entering the name of a shared folder makes the certificates accessible to clients.
The other option that you’ll want to be aware of is the check box labeled Preserve Existing Certificates. You’ll need to use this check box if you ever have to reinstall the certificate services, so that you don’t overwrite your certificate databases.
At this point, click Next to continue. If Internet Information Service is running, you’ll see a message stating that you must stop the services before continuing. Windows will give you the chance to stop the services from within the wizard. Windows will now take several minutes to configure the certificate services. During this time, you may be asked to insert your Windows 2000 installation media or your Service Pack CD. When the process completes, click the Finish button to close the Wizard. At this point, you’ll be asked to reboot the server. When the server reboots, the new certificate authority will automatically start.
Once you’ve installed the certificate services, you’ll have to set up a console to manage it. To do so, enter the MMC command at the Run prompt. When Microsoft Management Console loads, select the Add / Remove Snap In command from the Console menu. When you do, you’ll see the Add Remove Snap In properties sheet. Click the Add button on the General tab to display a list of available snap ins. Select the Certificate Authority snap in from the list and click the Add button. At this point, you’ll see a dialog box that asks whether the snap in will be used to manage the local computer or another computer. Select the local computer option and click the Finish button. Then, click the Close and OK buttons. When you’re done, the snap in will be configured to manage the certificate authority that you’ve just created.
To keep from having to repeat this process every time you want to work with the certificate authority, you can save the console settings through the Save As option on the Console menu. When you do, a shortcut will be automatically created under the Administrative Tools menu, assuming that you save the console settings in the default location.
Importing a certificate into Exchange Server
The primary location in Exchange Server where you would normally import a certificate would be through a virtual SMTP Server. This certificate could be used to secure SMTP communications between the Exchange Server and the Web.
To import a digital certificate into an SMTP virtual server, open the Exchange 2000 System Manager and navigate to your organization | Administrative Groups | your administrative group | Servers | your server | Protocols | SMTP your virtual SMTP server. If you haven’t defined any virtual SMTP Servers, then you will be using the Default SMTP Virtual Server.
Right-click the SMTP virtual server and select the Properties command from the resulting shortcut menu. This will cause the Exchange System Manager to display the SMTP Virtual server’s properties sheet. Select the properties sheet’s Access tab and click the Certificate button. This will launch the Web Server Certificate Wizard.
Normally, when I write an article about anything involving a wizard, I always tell people to click Next to skip the Welcome screen. In this case, though, I recommend taking the time to actually read the Welcome screen. Rather than just being introductory in nature, the Welcome screen tells you the status of your Web server. Normally, the status message will indicate that no certificates are installed and that no certificate requests are currently pending. Once you have verified this, click Next to move to the next part of the wizard.
The following screen gives you three options for assigning a certificate to the server, including:
- Create a new certificate
- Assign an existing certificate
- Import a certificate from a key manager backup file
Create a new certificate
To create a new certificate for the server, select the Create A New Certificate button and click Next. On the following screen, you will be asked if you’d like to prepare the request now and send it later, or if you’d rather send the request immediately to an online certificate authority. For the purposes of this article, choose the option to send the request immediately, and click Next.
At this point, you will see a screen that prompts you for the name of the new certificate. By default, the certificate will use the name Default SMTP Virtual Server. It doesn’t really matter what name you use as long as it’s descriptive. If you are assigning certificates to multiple servers, I recommend working the server name into the certificate description.
At the bottom of this screen, the wizard prompts you for the bit length. The higher the bit length, the more secure the encrypted transmissions will be. Before you go and select a 4096-bit key, though, keep in mind that longer keys degrade performance. The default option is to use a 512-bit encryption key, and that should be sufficient for most situations.
Click Next, and you will see a screen that asks for the name of your Organization and Organizational Unit (OU). There are a couple of different ways that you can handle this screen. As you probably know, both Organization and Organizational Unit are terms used by the Active Directory. You can simply fill in the blanks to match the server’s Active Directory organization and OU. On the other hand, you can take a less formal approach to things and use common names instead. For example, you could use something like Posey Enterprises for the Organization Name and IT Department for the organizational unit.
Click Next, and you will be prompted to enter the server’s common name. The common name can either be the server’s Fully Qualified Domain Name (FQDN) or the system’s NetBIOS name. I’m assuming that your server is going to be Internet accessible. If that’s the case, then you will want to use the FQDN.
Now, click Next, and you will be prompted to enter the server’s locality information. This includes the country, state, and city. Click Next and you’ll be asked to select the certificate authority. If you have created an Enterprise Certificate Authority in the manner described earlier, then that certificate authority will be available from the drop-down list. Make your selection and click Next. You will now see a summary screen detailing the new certificate, as shown in Figure A. If the information on this summary screen is acceptable, then click Next, followed by Finish.
|Verify the information on this screen prior to creating a new certificate.|
Assign An Existing Certificate
Normally, you would choose the option to assign an existing certificate if certificates had already been issued to your server, but weren’t being used by Exchange or IIS. If you select the Assign an Existing Certificate button and click Next, you will see a list of the certificates that have already been issued to the server by your certificate authority.
It’s entirely possible that your server may already include certificates. However, it’s a really bad idea to use existing certificates unless they were specifically intended for the purpose of securing IIS. For example, in Figure B, you can see some certificates that were already present on my Exchange Server. If you look closely at the certificates, though, you’ll see that these certificates are intended to be used for client authentication. You wouldn’t want to use preexisting client authentication certificates to secure an Exchange or IIS server for obvious reasons.
|Be careful about assigning existing certificates.|
To assign a certificate that has already been issued to your server, select the certificate from the list and click Next. You will now see a summary of the certificate on the resulting screen. If the summary information is acceptable, click Next, followed by Finish to assign the certificate.
Import a certificate from a key manager backup file
Normally, you would only import a certificate from a key manager backup file if the server had previously been running Windows NT and a legacy version of Exchange and was then upgraded to Windows 2000 and Exchange 2000. Normally, prior to the upgrade, you would export the certificate to a key manager backup file.
To create the key manager backup file, you would open the Internet Service manager, right-click the appropriate Web site, and then select the Properties command from the resulting shortcut menu to reveal the Web site’s properties sheet. Next, you would select the Directory Security tab and then click the Edit button under the Secure Communications section. You would then select the key that you want to export and then the Export Key | Backup File commands from the Key menu. This will allow you to create a .KEY file.
On your Exchange 2000 Server, select the option to import a certificate from a key manager backup file and click Next. When you do, you will be asked for the location of the key backup file. You can use the Browse button to select the appropriate backup file. Next, you must enter the password associated with the certificate and then the certificate will be imported.
Once you have incorporated the certificate into Exchange, you have the option of encrypting SMTP traffic. This means that if someone requests encryption, the traffic will be encrypted, but otherwise it will not be. If you want to force SMTP encryption, go back to the Access tab of the SMTP Virtual Server’s properties sheet and click the Communications button. When you do, you will see a dialog box containing a check box that you can use to require a secure channel. There is also a check box that you can select to require 128-bit encryption. Whatever settings you choose, you must remember that your settings, and the certificate, apply only to the current SMTP Virtual Server.
Modifying the certificate
Now that everything is in place and functional, you can go back and modify the chosen certificate if you want. If you go back to the Access tab of the SMTP Virtual Server’s properties sheet, and click the Certificate button, you’ll see that the summary screen indicates that a certificate is installed on the server. However, if you click the Next button, your choices are completely different than before. This time, you have the option of renewing the certificate, removing the certificate, or replacing the certificate.