How to Import the Root CA Certificate into Email Client Certificate Stores
The email client connecting to the Exchange Server’s secure sites must trust the Exchange Server’s site certificates. The following Exchange Server services (or protocols) can be secured with SSL/TLS encryption:
- SMTP POP3 NNTP IMAP4 HTTP RPC over HTTP
You can use a single Web site certificate and bind that certificate to each of these Exchange Services, or you can request a separate certificate for each service. You can obtain a Web site certificate from a standalone Microsoft Certificate Server, an enterprise Microsoft Certificate Server, or a commercial certificate authority.
Before it can successfully negotiate a secure SSL/TLS link with the Exchange Server, the email client must trust the certificate authority (CA) issuing the Web site certificate to the Exchange
Server’s services. The email client does not need a machine certificate to accomplish this; the email client only needs the root CA certificate in its Trusted Root Certification Authorities machine certificate store.
You can confirm the root CA certificate is installed in the Trusted Root Certification Authorities machine certificate store on Windows 2000, Windows XP and Windows Server 2003 machines by using the Certificates mmc console.
The first step is to check the name of the CA that assigned the Web site certificate for your site. Perform the following steps on the Exchange Server hosting the secure site:
1. Click Start and click on the Run command. Type mmc in the Open text box and click OK. In the Console 1 console, click the File menu and click the Add/Remove Snap-in command (figure 1).