Help Center
Home Submit a ticket Tickets list Login Status
  1. Home
  2. Solution home
  3. Client-side Signatures
  4. Troubleshooting
Open navigation

Using S/MIME with Outlook Mobile

Scenario

You wish to use S/MIME encryption with Outlook mobile, but when attempting to enable signing or encryption using the same certificate as Outlook Desktop and OWA, you see the following error:

Reason

Unlike an on-premises Exchange server, Exchange online does not by default trust any publically or privately trusted root or intermediate CA's under which S/MIME certificates are issued.

Solution

In order to allow this, we must import the appropriate CA trusts on your Office 365 environment.

Warning

These instructions require knowledge of and the ability to export / import certificates and access to Exchange online powershell.

Generate the SST (Serialized certificate store) file

Information

Please carefully select the CA's required to trust your S/MIME certificates in your environment. We recommend only selecting those for the CA's specifically required.

It is required to select 2 or more certificates to export an SST file. We suggest selecting your S/MIME certificate and a Trusted root certificate from a trusted certification provider such as Digicert or Verisign.

  • Open the run command and start certmgr.msc
  • Move or copy any required Intermediate CAs from the Intermediate Certification Authorities folder to the Trusted Root Certification Authorities folder - SST export can only reference 1 folder
  • Select ‘Trusted Root Certification Authorities’, and select ‘Certificates’

  • Select the valid Root and Intermediate certificates for your S/MIME certificate using Ctrl-Click. Ensure only non expired certificates are selected
  • From the menu, select Action -> Export
  • Select the SST option, then Next. This option will be unavailable if a single certificate is selected.

  • Name the SST and save to a location
  • Complete the export

Upload the SST file to Office 365

Now that you have the SST file, it needs to be configured within Office 365.

  • Open Powershell and install the Azure AD V3 Powershell module if not installed:

    Install-Module -Name ExchangeOnlineManagement -force
  • Load the module with the following command:

    Import-Module ExchangeOnlineManagement
  • Connect to Exchange online with your admin account replacing the generic account below

    Connect-ExchangeOnline -UserPrincipalName user@domain.com

    A browser will open requesting your authentication credentials.

  • Run the following command, replacing the sample SST filename and location with your own:

    Set-SmimeConfig -SMIMECertificateIssuingCA ([System.IO.File]::ReadAllBytes('C:\My 
Documents\myvirtualcertcollection.sst'))

The command will complete with no feedback. If uploading a previously configured SST, you will see the following confirmation:

After successfully uploading the SST, you will need to wait apprximately 1 hour for they sync to be completed by Exchange.

When using Outlook Mobile, your S/MIME certificate will now be trusted.

Modified on: 06 Dec 2024

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.