Concepts and Planning << >>

Key Management Server

To use the advanced security features of Microsoft Exchange Server, you must configure at least one computer in your organization as the server that stores and manages the security database. This server is called the Key Management (KM) server. You can configure up to one KM server per site.

The KM server provides the following services:

Note   The KM server uses Microsoft Certificate Server to certify public signing and encryption keys. For information about Microsoft Certificate Server, see your Microsoft Internet Information Server version 4.0 documentation.

Private encryption keys and public signing keys for security-enabled users and the revocation list are stored in the key management database. The KM server database itself is encrypted, so that the highest level of security is maintained.

After you configure the KM server, you must enable advanced security for your users. You give users temporary keys so that they can complete the advanced security process. A temporary key is used only once, and it secures the connection between the KM server and the client. You should distribute temporary keys to users in person for maximum security. You can enable advanced security for users individually or in bulk.