How to configure S/MIME encryption certificate in Exchange online / Office 365

We have successfully set up our current S/MIME certificate in our new Exchange Online Office 365. We searched online and came across numerous guides on configuring S/MIME encryption certificates, but the majority of sources simply replicate content from Microsoft blogs, which can be frustrating since they lack clear explanations.

It’s relatively simple if you review the prerequisites before getting started:

1. You need to log in as a Windows Administrator.
2. PowerShell must be installed or you should have the complete Windows Management Framework 4.0.
   1. PowerShell must be run as an Administrator.
   2. Supported operating systems include Windows 7, Windows Embedded Standard 7, Windows Server 2008 R2, and Windows Server 2012.
   3. x64: Windows6.1-KB2819745-x64-MultiPkg.msu or for x86: Windows6.1-KB2819745-x86.msu.
   4. For additional information, please click here.
3. S/MIME OWA functionality is compatible with IE9 or later.
4. A CA needs to be installed on the local machine to export as a .SST file, which is necessary for uploading to Exchange Online / Office 365.
5. Certificate Authorities (ca), either Windows-based or third-party, issue the end user’s certificate for signing and encrypting the message.

Benefit:

1. Compose, send, receive, encrypt, and decrypt S/MIME-encrypted email via OWA only on IE9 or Above.
2. Send and receive digitally signed email via Outlook, OWA, and EAS clients.

Export Process

Step 1: Make sure SSL email certificate installed on your local machine, if not then buy one and install it from certificate authority PFX / P12 format because we need to convert our Personal email certificate to .SST files. (Office 365 / Exchange Online System requirements).

Step 2: Let’s create a .SST file from our trusted Root CA / Intermediate of the certificate issued.

The easiest way to create/export a certificate from Windows MMC feature if you are not familiar with PowerShell to convert.SST.

Click on RUN and type certmgr.MSC snap-in. To locate your personal certificates, expand Trusted Root Certificate Authorities > Certificates > select the CA Certificates issued previously for your personal or business email and right-click> All Tasks > Export… 

Depending on CA maybe some of Trusted Root Certificate are installed in Intermediate Certificate Authority or Personal folder. Find the right folder and move to all in Trusted Root Certificate Authorities to export all together in .SST file.

If you select only one certificate and export then .SST option will not be available to export, so you must select multiple certificates i.e intermediate cert. and personal to export. 

Below: So select multiple certificates than Select Microsoft Serialized Certificate Store (.SST) > Click Next and save the SST file in c:\ drive

Connect to Exchange Online using remote PowerShell

Step 1: Run PowerShell, if not installed, then click here . After installation, please search for PowerShell. (See below)

Step 2: Right-click on PowerShell and click on Run as Administrator. (See below)

Step 3: Once PowerShell is up and running as an administrator. Type ‘cd..’ to go to the root directory as we save.SST files are there. Then type:

$UserCredential = Get-Credential

This command will help you connect with your Exchange Online admin account / Office 365.

Windows will pop up. Type your admin user and password for Office365 / Exchange Online. (See below).

Step 4: The below command will help to create a session with US/Europe Exchange Online except China.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Note: If you are an Office 365 operated by 21Vianet customer in China, use the following value for the ConnectionUri parameter:https://partner.outlook.cn/PowerShell.

Step 5: Run this command to unrestrict some of the exchange policies to upload .SST files.

Set-ExecutionPolicy Unrestricted -force

Step 6: The following command will help you import sessions.

Import-PSSession $Session

Once all the commands are done without any errors, please type two more commands to upload SST files into Exchange Online / Office 365.

Make sure that on PowerShell, your path is on drive C :/. i.e: PS c:\> 

Step 7: Upload.SST file to Exchange Online / Office 365:

$sst = Get-Content <sst file copied from the box>.sst -Encoding Byte

My .SST file was in drive C:\ so I typed:

$sst = Get-Content qureshi.sst -Encoding Byte

 Step 8: Below is the last command to run:

Set-SmimeConfig -SMIMECertificateIssuingCA $sst

When you are finished, it is important to close out the session.  You can do this by running the following command:

Remove-PSSession $Session

 Outlook client settings and the Publish CAL process:

Before outlook settings and publishing certificates to GAL ( Global Address List), you must have certificates installed on your local machine to set up Outlook 2010 or above.

On Outlook:

• On the File menu in Outlook 2013, click Options.
• On the Outlook Options window, click Trust Centre, click Trust Centre Settings…, and then click Email Security.
• In the Trust Centre window, click Settings… (Here, you need to choose a certificate issued by the CA you are going to use for S/MIME).
• In the Change Security Settings window, type the Security Settings Name (you can name it anything) and choose the Signing and Encryption certificate. Select the appropriate certificate assigned in the previous steps, leave the Algorithm default and click OK. 
• On the trust center Windows click on Publish to GAL to publish you certificate unto Exchange Online. 
• Once fully uploaded all certificates to GAL, you will receive message for completion. 
• To confirm that the certificate is published in AAD (Azure Active Directory), connect to Exchange Online using remote PowerShell and run the following command. Check to make sure that the UserSMimeCertificate attribute is populated with the certificate information. If not, repeat the same steps.

Get-Mailbox <user> | FT *user*

In my scenario:

Get-Mailbox qureshi | FT *user*

On UserSMimeCertificate, show random numbers, it means your CA is uploaded on Exchange Online and GAL.

After the above steps, you can use Outlook, OWA, or EAS to send and receive S/MIME messages.

For OWA, make sure you use IE9 or above to send encrypted email. When you enable S/MIME from the OWA settings, you will be asked to install a small, tiny Add-on.

Outlook Web App:

• OWA for S/MIME – Supported only on Windows Vista or greater with browser IE9 and above. Not supported on other browsers or MOWA (Mobile for Outlook Web Access).
• Third-party certificates aren’t supported for OWA S/MIME; only Windows Certificate Authority-issued certificates are supported.
• To use Outlook Web Access with the S/MIME control, the client system on which the user is running Internet Explorer must have Outlook Web Access with the S/MIME control installed. S/MIME functionality in Outlook Web Access cannot be used on a system that does not have Outlook Web Access with the S/MIME control installed.

SMIME control in OWA requires .Net 4.5. All users accessing their mailboxes using OWA should install this on their machine. .Net 4.5 can be installed from Microsoft Downloads page.

Enable S/MIME settings from OWA options

More References:

1. https://www.microsoft.com/en-gb/download/details.aspx?id=40855
2. http://www.ishir.com/blog/3707/cant-keep-step-step-easy-configuration-guide-smime-office-365.htm/
3. https://technet.microsoft.com/en-us/library/jj984289%28v=exchg.160%29.aspx
4. https://blogs.office.com/2014/02/26/smime-encryption-now-in-office-365/
5. http://simon-may.com/setup-smime-office-365-owa/
6. http://www.experts-exchange.com/articles/18714/How-to-Configure-S-MIME-in-Office-365-Explained.html
7. https://community.office365.com/en-us/f/158/t/18272
8. https://technet.microsoft.com/en-GB/library/dn626158(v=exchg.150).aspx
9. https://www.digicert.com/ssl-certificate-installation-microsoft-office-365.htm
10. https://technet.microsoft.com/library/jj984289(v=exchg.160).aspx