Skip navigation
Menu
Security

Windows IT Pro Community Forum, September 2011

Deciphering PKI

I just read Russell Smith’s excellent article, “Deciphering PKI” (May 2011, InstantDoc ID 129847). I have one question about it. When does a client get a private key, which is used to encrypt the message digest, decrypt messages, and sign messages?

—Robert Mikołajczyk

Thanks for your message. I’m glad that you found the article useful. If I understand correctly, you want to know when a client receives a certificate to work with secure messaging in a program such as Microsoft Outlook. Users must either request or be assigned a certificate for use with secure messaging. This is usually done through an internal PKI. The user’s email client then has to be configured to use the certificate for secure messaging. You can find more information about the infrastructure required to support secure messaging in Outlook 2010 in the Microsoft article “Plan for e-mail messaging cryptography in Outlook 2010” (technet.microsoft.com/en-us/library/cc179061.aspx).

—Russell Smith

 

Exchange Autodiscovery Questions

I have a few questions regarding John Savill’s FAQ, “How can I quickly verify that my Exchange autodiscovery is working?” (June 23, 2011, InstantDoc ID 139558):

  1. In John’s examples, he shows both http:// and https://. I’m assuming he means just https:// and no http://. Correct?
  2. If you create an “A” record for the autodiscovery, do you also have to have an SSL for it? That’s assuming we don’t have a wildcard SSL installed (which most of our clients do not). Or does the device know to ignore an SSL error and proceed?
  3. What about internally? I have a few clients who can’t open Outlook and have it automatically discover its settings (in a domain). Can/should we add an “A” pointer in the internal DNS for autodiscovery, and will that fix that problem? (We can manually put in the settings for Outlook and it works fine, just not autodiscovery internally in the domain.)

—Shawn Lemay

Good questions, Shawn.

  1. Yes, it is always https. Sorry about the typo.
  2. Yes, you would typically need a certificate for the autodiscovery unless you have a wildcard normally. This scenario is explained in detail at technet.microsoft.com/en-us/library/bb310762.aspx. There is a way to just use one as described at technet.microsoft.com/en-us/library/bb310764.aspx. However, certificates are typically cheap these days, so purchasing an additional one for autodiscovery is fine for most clients. The more services an organization has on the web, the more attractive a wildcard certificate gets. They cost only a few hundred dollars, and most Microsoft services work with a wildcard certificate today.
  3. es, you would have an autodiscovery on the internal DNS domain, and a separate autodiscovery for the Internet-based clients.

I hope these answers help.

—John Savill

 

The Weak Link in IT Security

Jeff James has an excellent message in his article, “Are Users the Weak Link in IT Security?” (June 22, 2011, InstantDoc ID 139572). This is something we’ll need to address in the near term with my employer. Please revisit this topic in future articles!

—Peet Rapp

TAGS: Security
Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
DevSecOps concept
90% of Java Services in Production Have Vulnerability Risk, DevSecOps Report Finds
Apr 20, 2024
Businesswoman challenges concept and gender obstacles
Women in Cybersecurity Face Barriers to Hiring, Advancement
Apr 15, 2024
person typing on keyboard with icons for certificates
Top IT Certifications for a Career in Finance
Apr 12, 2024
employee working on a laptop with AI
Why AI Coding Assistants May Be Greatest Cybersecurity Threat Facing Your Business
Mar 26, 2024