Microsoft KB Archive/192044

= XADM: Setting Up X509v3 Certificates on Exchange 5.5 SP1 KMS with Local Certificate Server =

Article ID: 192044

Article Last Modified on 10/28/2006

-

APPLIES TO


 * Microsoft Exchange Server 5.5 Standard Edition
 * Microsoft Exchange Server 5.5 Service Pack 1

-



This article was previously published under Q192044



SUMMARY
This article details how to set up X.509 V3 certificate support on an Exchange Server 5.5 Service Pack 1 (SP1) Key Management Server (KMS) computer that also has Microsoft Certificate Server installed.

Before you proceed with the KMS Setup, consult the following Microsoft Knowledge Base article, which details how to properly update Certificate Server to version 5.00.1671.200.

184695 : Readme Notes for Certificate Server Update

The updated files can be obtained from the following location:

ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/certserv/

NOTE: It is important that the Microsoft Exchange Service account has at least READ-ONLY privileges on the shared CERT directory of the Microsoft Certificate server computer.

If the KMS is not installed, please consult the README file on the Exchange Server 5.5 SP1 installation disk on how to install the service.

NOTE: Once the KMS is installed, you will need to reapply SP1 for Exchange Server 5.5 or you may experience problems gaining access to some of the CA Object's property pages, specifically the "Certificate Trust List".



MORE INFORMATION
To enable X.509 V3 certificates on the Exchange Server 5.5 Service Pack 1 KMS, perform the following steps:

 The Expolicy.dll file must first be registered to the Certificate Server computer. This file in located on the Exchange Server 5.5 SP1 installation disk in the following location:

Server\Support\Kms\Expolicy\

To register this file, go to an MS-DOS command prompt, change to the above directory, and then type the following:

REGSVR32 EXPOLICY.DLL

 After the notification that the DLL is registered is displayed, type the following from a command prompt:

NET STOP CERTSVC

 After the service is stopped, type the following at a command prompt to restart the Certificate server:

NET START CERTSVC

 Open the Microsoft Exchange Server Administrator program. Go to the Site Configuration container, and select properties for the CA object. Click on the Enrollment tab. In the Microsoft Exchange 4.0/5.0 compatibility section, there are three choices. By default, the "Issue X.509 V1 certificates only" check box is selected. Select either of the remaining options to issue X.509 V3 certificates (either "Issue both V1 and V3 certificates" or "Issue X.509 V3 certificates only").

A dialog box will then prompt you to select the Certificate Authority. Verify that the local Certificate Server computer is selected and continue. The Exchange Server KMS computer will now be properly configured to use the locally installed Certificate Server.

For more information on how to implement KMS in an Exchange Server organization, consult the Exchange Server 5.5 README file.

Additional query words: security km server s/mime smime

Keywords: kbhowto KB192044

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.