Hi, We are migrating some users from one forest/Exchange org to another. In the old forest they use S/MIME digital IDs (issued by an internal Enterprise root CA) for signing and encrypting email. In the new forest they will not need to sign and encrypt any new emails but they will need to be able to read encrypted emails migrated over from the old infrastructure.
I have played around with exporting a recipient's S/MIME certificate (inlcuding private key) from the certificate store of their old PC into the certificate store of their new PC and they are able to read migrated encrypted emails fine.
However, presumably when the certificate reaches its expiry date it will not be able to renew because the old CA will be unreachable. Will this cause the encrypted mail to be unreadable or will the recipient just get a warning message ?
We do already have an existing Enterprise root CA in the target forest so I wonder is there a way to export/import the relevant S/MIME digital IDs over to that somehow ?
Thanks for any help on this...
Edit: I just set the clock forward, on the test user's PC, past the cert expiry date and am still able to read the encrypted emails (since the expired cert is still in the cert store of the PC). So I think this is a workable solution. ( I suppose if we did
ever need S/MIME encryption on new emails, post-migration, then we just get users to enroll a new cert off the new CA...)