How to Import the Root CA Certificate into Email Client Certificate Stores

 

The email client connecting to the Exchange Server’s secure sites must trust the Exchange Server’s site certificates. The following Exchange Server services (or protocols) can be secured with SSL/TLS encryption:

 

 

You can use a single Web site certificate and bind that certificate to each of these Exchange Services, or you can request a separate certificate for each service. You can obtain a Web site certificate from a standalone Microsoft Certificate Server, an enterprise Microsoft Certificate Server, or a commercial certificate authority.

 

Before it can successfully negotiate a secure SSL/TLS link with the Exchange Server, the email client must trust the certificate authority (CA) issuing the Web site certificate to the Exchange Server’s services. The email client does not need a machine certificate to accomplish this; the email client only needs the root CA certificate in its Trusted Root Certification Authorities machine certificate store.

 

You can confirm the root CA certificate is installed in the Trusted Root Certification Authorities machine certificate store on Windows 2000, Windows XP and Windows Server 2003 machines by using the Certificates mmc console.

 

The first step is to check the name of the CA that assigned the Web site certificate for your site. Perform the following steps on the Exchange Server hosting the secure site:

 

1.       Click Start and click on the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command (figure 1).

 

Figure 1

 

2.       Click the Add button in the Add/Remove Snap-in dialog box (figure 2).

 

Figure 2

 

3.       Click on the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box (figure 3). Click Add.

 

Figure 3

 

4.       Select the Computer account option on the Certificates snap-in page (figure 4). Click Next.

 

Figure 4

 

5.       On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish (figure 5).

 

Figure 5

 

6.       Click Close on the Add Standalone Snap-in page (figure 6).

 

Figure 6

 

7.       Click OK on the Add/Remove Snap-in dialog box (figure 7).

 

Figure 7

 

8.       Expand the Certificates (Local Computer) node and then expand the Personal node and then click on the Certificates node in the left pane of the console (figure 8). Double click on the Web site certificate in the right pane of the console. In the Certificate dialog box, click on the Certification Path tab. The certificate on the top of the list is root CA certificate.

 

Close the Certificate dialog box.

 

Figure 8

 

9.       In the left pane of the console, expand the Trusted Root Certification Authorities node and click on the Certificates node. The root CA certificate is located in the right pane of the console.

 

Figure 9

 

You can perform the same steps on a Windows 2000, Windows XP or Windows Server 2003 machine to confirm that the root CA certificate is in the Trusted Root Certification Authorities machine certificate store.

 

There are several methods you can use to import the root CA certificate into the email client computer’s machine certificate store if you host your own Microsoft standalone CA or Microsoft enterprise CA. These methods include:

 

 

If you create an enterprise CA and join machines to the same domain that the enterprise CA belongs to, then you will not need to request a root CA certificate. Only when the email client machines do not belong to the same domain as the enterprise CA, or when you use a standalone root CA, will you need to manually install a root CA certificate.

 

Note:
Many commercial CA root certificates are already installed on Windows clients.

 

In the remainder of this ISA Server 2000 Exchange Server 2000/2003 Deployment Kit document we’ll demonstrate the following procedures:

 

 

 

 

Requesting the Root CA Certificate from the Web Enrollment Site

 

Perform the following steps to request a CA certificate to the Microsoft CA’s Web enrollment site:

 

1.       Type http://<ip_address/certsrv or http://fqdn/certsrv into the address bar in Internet Explorer and press ENTER. Type in your user credentials in the Enter Network Password dialog box and click OK (figure 10).

 

Figure 10

 

2.       On the Welcome page of the Web enrollment site (figure 11), click the Download a CA certificate, certificate chain, or CRL link.

 

Figure 11

 

3.       On the Download a CA Certificate, Certificate chain, or CRL page (figure 12), click the install a CA certificate chain link.

 

Figure 12

 

4.       Click Yes on the Root Certificate Store dialog box (figure 13) informing you that the certificate will be added to your root certificate store.

 

Figure 13

 

5.       Close Internet Explorer after you see the CA Certificate Installation page informing you that the certificate has been successfully installed (figure 14).

 

Figure 14

 

6.       Click Start and then click the Run command. Type mmc in the Open text box and click OK. In the Console1 console, click the Console menu and click the Add/Remove Snap-in command (figure 15).

 

Figure 15

 

7.       Click Add in the Add/Remove Snap-in dialog box (figure 16).

 

Figure 16 (fig10)

 

8.       Select the Certificates entry in the list of Available Standalone Snap-ins and click Add (figure 17).

 

Figure 17

 

9.       Select the My user account option on the Certificates snap-in page and click Finish (figure 18).

 

Figure 18

 

10.   Select the Certificates entry in the Available Standalone Snap-ins list again and click Add (figure 18).

 

Figure 18

 

11.   Select the Computer account option on the Certificates snap-in page and click Next (figure 19).

 

Figure 19

 

12.   Select the Local Computer option on the Select Computer page (figure 20) and click Finish.

 

Figure 20

 

13.   Click Close on the Add Standalone Snap-in dialog box (figure 21).

 

Figure 21

 

14.   You should see entries for Certificates – Current User and Certificates (Local Computer) in the list of snap-ins on the Add/Remove Snap-in dialog box (figure 22). Click OK.

 

Figure 22

 

15.   Expand the Certificates – Current User node in the left pane of the console (figure 23). Expand the Trusted Root Certification Authorities node and click on the Certificates node. Right click on your root CA certificate entry in the right pane and click the Copy command.

 

Figure 23

 

16.   Expand the Certificates (Local Computer) node in the left pane of the console. Expand the Trusted Root Certification Authorities node and click on the Certificates node. Right click on the Certificates node and click the Paste command (figure 23).

 

Figure 23

 

17.   Refresh the display and locate your root CA certificate in the right pane of the console. Your machine now trusts the root CA.

 

Figure 24

 

 

 

Exporting and Importing the CA Certificate

 

You may have obtained a machine certificate from a standalone alone CA. The root CA certificate is not automatically installed when you obtain a machine certificate from a standalone CA. You can either request the root CA certificate from the standalone CA computer via its Web enrollment site or you can export the root CA certificate from the machine certificate itself and then import the root CA into the Trusted Root Certification Authorities machine store.

 

1.       Click Start and click on the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command (figure 25).

 

Figure 25

 

2.       Click the Add button in the Add/Remove Snap-in dialog box (figure 26).

 

Figure 26

 

3.       Click on the Certificates entry in the Available Standalone Snap-in list on the Add Standalone Snap-in dialog box (figure 27). Click Add.

 

Figure 27

 

4.       Select the Computer account option on the Certificates snap-in page (figure 28). Click Next.

 

Figure 28

 

5.       On the Select Computer page, select the Local computer: (the computer this console is running on) option and click Finish (figure 29).

 

Figure 29

 

6.       Click Close on the Add Standalone Snap-in page (figure 30).

 

Figure 30

 

7.       Click OK on the Add/Remove Snap-in dialog box (figure 31).

 

Figure 31

 

8.       Expand the Personal node and click on the Certificates node in the left pane of the console (figure 32). Double click on the machine certificate in the right pane of the console. Click on the Certification Path tab in the Certificate dialog box. Notice the root CA certificate has a red “x” on it. This indicates the root CA is not trusted by this host. Select the root CA certificate and click the View Certificate button.

 

Figure 32

 

9.       In the Certificate dialog box for the root CA certificate, click on the Copy to File button (figure 33).

 

Figure 33

 

10.   Click Next on the Welcome to the Certificate Export Wizard page (figure 34).

 

Figure 34

 

11.   On the Export File Format page (figure 35), select the Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B) option. Put a checkmark in the Include all certificates in the certification path if possible checkbox. Click Next.

 

Figure 35

 

12.   On the File to Export page, type in a path and file name for the root CA certificate file (figure 35). Click Next.

 

Figure 35

 

13.   Review your settings and click Finish on the Completing the Certificate Export Wizard page (figure 36).

 

Figure 36

 

14.   Click OK on the Certificate Export Wizard dialog box informing you the export was successful (figure 37).

 

Figure 37

 

15.   Close the root CA Certificate dialog box (figure 38).

 

Figure 38

 

16.   Close the machine certificate dialog box (figure 39).

 

Figure 39

 

17.   Expand the Trusted Root Certification Authorities node in the left pane of the console and click on the Certificates node. Right click on the Certificates node, point to All Tasks and click on Import (figure 40).

 

Figure 40

 

18.   Click Next on the Welcome to the Certificate Import Wizard page (figure 41).

 

Figure 41

 

19.   On the File to Import page, click the Browse button to locate the exported certificate file. Click Next after the certificate file appears in the File name text box (figure 41).

 

Figure 41

 

20.   On the Certificate Store page (figure 42), confirm that the Place all certificates in the following store option is selected and that is says Trusted Root Certification Authorities in the Certificate store text box.

 

Figure 42

 

21.   Review you settings and click Finish on the Completing the Certificate Import Wizard page (figure 43).

 

Figure 43

 

22.   Click OK on the Certificate Import Wizard dialog box informing you that the import was successful (figure 44).

 

Figure 44

 

23.   Open the machine certificate again and click on the Certification Path tab (figure 45). The red “x” no longer appears on the root CA certificate. This host now trusts the root CA that issued the machine certificate.

 

Figure 45

 

 

The same procedure can be used any time you have a machine or user certificate from a CA that the machine does not yet trust. All you to do is export the root CA certificate to a file and then import that certificate into the machine’s Trusted Root Certification Authorities store.

 

It is important to remember that a machine certificate is not required to create an SSL session with the Exchange Server’s secure sites. The only requirement is that the clients trust the root CA that issued the certificate to the Exchange server. In contrast, a machine certificate is required if you want to create an L2TP/IPSec with an ISA Server firewall/VPN server. A user certificate would be required if you wanted to use certificate authentication to authenticate with the ISA Server firewall’s Incoming Web Requests listener. However, in all cases, the client must trust the CA that issued the Exchange Server’s certificate(s).