Knowledge Base

When requesting an S/MIME certificate, it can have two elements: email signing, and encryption.

Once the certificate is issued, it must be installed and configured in Outlook. There are two methods the certificate may be downloaded, namely:

• CSR (Certificate Signing Request): If a CSR was provided, download the certificate to the machine where the CSR was generated.The certificate can now be opened and imported into the system. 
• Link: If a CSR was not provided, a link would have been sent out in an email. Using this link will generate the certificate. A password would need to be created, and a PFX or PKCS12 file would be saved. Open this file, and import it to the system

Usually, these certificates are installed to the personal store. Now that the certificate has been installed, use the following path to get to the configuration window.

File -> Options -> Trust Center -> Trust Center Settings -> Email Security.
 

This is where all the configurations will take place.

To select the certificate:

1. Click on “Settings...” and select the certificate you want to use for signing and/or encryption. If this is the same certificate, then you can select the same certificate for both. If you have multiple certificates, different profiles can be created for the different certificates. 
2. Once the certificate is selected, the remaining options can be toggled as desired. If encryption is wanted, it is recommended to “Send these certificates with signed messages.”
    

• For email signing, toggle “Add digital signature to outgoing messages” to sign all outgoing emails.
• For encryption, toggle “Encrypt contents and attachments for outgoing messages” to encrypt all outgoing emails. These are optional, as are the others.

To test the settings:

1. Compose a new email. 
2. Under options, there should be two options for encryption. Depending on the settings, some of these may already be toggled. If not, they will need to be toggled for this feature to be used. A feature can also be disabled if it is not wanted for this email. This screenshot shows that the email will be signed, while the encryption is disabled.

Signing

Signing an email can be done with contacts outside of the organization with few limits. How the signature looks depends on the email client being used. There may also be restrictions on the supported algorithms. By default, Outlook uses the SHA1 algorithm for signing. Because SHA1 has been mostly depreciated, some clients do not trust signatures that use SHA1. However, this can still be used to distribute the certificate for use in encryption. This can be changed in the email security section where the certificates are assigned.

Encryption

For encryption, there are a few factors to consider which can affect the process. Outlook can use an Active Directory Service to distribute the certificates to contacts within an organization. This allows for users to send S/MIME encrypted emails to other contacts within their organization. If there is a problem, the certificate may need to be published to the ’GAL’ or Global Access List. This publishes the certificate to the organizations’ ADS. However, if an encrypted email is sent outside of the organization, the following error may be met.
 

To resolve this, the recipient must have an S/MIME certificate. The other requirement is that both the sender and recipient’s certificate are available for use. This is done by sending an email with the certificate. Sending a signed email is the easiest way to do this. The recipient can now respond with an encrypted email. With this response, the original sender now has the recipient’s certificate and all emails between these two senders can now be encrypted.

If a certificate can only be used for encryption, and not signing, the certificate may need to be imported separately as it is not being used for the S/MIME signature. In this case, the certificate will need to be sent in any format that the recipient’s system can import. The recipient can now send an encrypted email with S/MIME.

Import/Exporting Digital IDs

In the email security window in the Outlook Trust Center, next to the “Publish to GAL...” button, there is another button to import/export digital IDs. This feature can only import or export PKCS#12 formatted certificates, or .pfx  files. Because a PFX file has all the certificates and the private key, this should only be used to import or export your certificates. This should not be used to import someone else’s certificate.