Hello Exchange Admins,
we have an internal request, to provide S/MIME signing and encryption capabilities to end users (approx. 3,000). So we are evaluating implementations and talking about the best way.
Circumstances
- using internal certificates from Windows PKI (AD)
- consider lifecycle (name changes, renewals, Root CA expiries, device changes)
- S/MIME should be used in Outlook (auto deployment) and on iOS device (may be imported manually)
- secure end-to-end encryption, with low user interaction
There seems to be multiple ways out there, to accommodate these Circumstances.
1. Auto Enrollment of certificates using GPO (is able to deploy public key information to AD/GAL automatically and private key information to user with internal PKI) with Credential Roaming (is capable to address the multiple device handling).
Credential Roaming seems to be suboptimal.
2. Developing a custom solution, which creates certificates on behalf of user, deploys public information to AD/GAL, private information to user (based on manydependencies). This seems to be tricky, complex and weak.
What are your experiences?
Thanks.
Paul.
↧
S/MIME and credential roaming
↧