Finally, we have managed to install our existing S/MIME certificate to our new Exchange Online office 365.

We googled and found hundreds of procedures on how to configure S/MIME encryption certificates however 95% of editors just copy and paste from Microsoft blogs which can be annoying as they do not provide any good explanation.

It is fairly easy if you check the requirements before you start:

  1. You must login as a Windows Administrator.
  2. Power-shell must installed or full Windows Management Framework 4.0.
    1. PowerShell must run ‘As a Administrator’
    2. OS support: Windows 7, Windows Embedded Standard 7, Windows Server 2008 R2, Windows Server 2012
    3. x64: Windows6.1-KB2819745-x64-MultiPkg.msu or x86: Windows6.1-KB2819745-x86.msu
    4. More information please click here
  3. S/MIME OWA function works on IE9 or Above.
  4. Require CA installed on local machine to export as a .SST file require to upload on exchange online / office365
  5. End user’s certificate for signing and encrypting the message issued from Certificate Authorities(CA) either Windows based CA or Third party CA.


  1. Compose, send, receive, encrypt, and decrypt S/MIME-encrypted email via OWA only on IE9 or Above.
  2. Send and receive digitally signed email via Outlook, OWA, and EAS clients.

Export Process

Step 1: Make sure SSL email certificate installed on your local machine, if not then buy one and install it from certificate authority PFX / P12 format because we need to convert our Personal email certificate to .SST files. (Office 365 / Exchange Online System requirements).

Step 2: Let’s create a .SST file from our trusted Root CA / Intermediate of the certificate issued.

Easiest way to create / export a certificate form Windows MMC feature if you not familiar with PowerShell to convert .SST.

Click on RUN and type certmgr.msc snap-in, Locate your personal certificates, so expand Trusted Root Certificate Authorities > Certificates > select the CA Certificates which issued previously for your personal email or business email and right click > All Tasks > Export… 

Depending on CA maybe some of Trusted Root Certificate are installed in Intermediate Certificate Authority or Personal folder. Find the right folder and move to all in Trusted Root Certificate Authorities to export all together in .SST file.

If you select only one certificate and export then .SST option will not be available to export, so you must select multiple certificates i.e intermediate cert. and personal to export. 

Below: So select multiple certificates than Select Microsoft Serialized Certificate Store (.SST) > Click Next and save the SST file in c:\ drive

Connect to Exchange Online using remote PowerShell

Step 1: Run PowerShell, if not installed then click here . After installation please search for PowerShell. (See below)

Step 2: right click on PowerShell and click on Run as Administrator. (See below)

Step 3: Once PowerShell up and running as a administrator. Make sure type ‘cd..’ to go to root directory as we save .SST files there. then type:

$UserCredential = Get-Credential

This command will help you to connect with your Exchange online admin account / Office 365.

Windows will pop up. type your admin user and password for Office365 / Exchange Online. (See below).

Step 4: below command will help to create a session with US/Europe Exchange Online except China.

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $UserCredential -Authentication Basic -AllowRedirection

Note   If you are an Office 365 operated by 21Vianet customer in China, use the following value for the ConnectionUri parameter:

Step 5: Run this command to unrestricted some of exchange policy to upload .SST files.

Set-ExecutionPolicy Unrestricted -force

Step 6: Below command will help you to import sessions.

Import-PSSession $Session

Once all command done without any error, Please type two more command to upload .SST files into Exchange Online / Office 365.

Make sure on PowerShell your path should be on drive c:/. i.e: PS c:\> 

Step 7: Upload .SST file to Exchange Online / Office 365:

$sst = Get-Content <sst file copied from the box>.sst -Encoding Byte

My .SST file was in drive C:\ so I typed:

$sst = Get-Content qureshi.sst -Encoding Byte

 Step 8: Below is the last command to run:

Set-SmimeConfig -SMIMECertificateIssuingCA $sst

When you are finished, it is important to close out the session.  You can do this by running the following command:

Remove-PSSession $Session

 Outlook client settings and Publish CAL process:

Before outlook settings and publish certificate unto GAL ( Global Address List), you must have certificates installed in your local machine to setting up on outlook 2010 or above.

On Outlook:

  • On the File menu in Outlook 2013, click Options.
  • On the Outlook Options window, click Trust Center, click Trust Center Settings…, and then click Email Security.
  • In the Trust Center window, click Settings… (Here, you need to choose certificate issued by the CA you are going to use for S/MIME).
  • In the Change Security Settings window, type the Security Settings Name (you can name it anything) and choose Signing and Encryption certificate. Select the appropriate certificate assigned in previous steps, leave the Algorithm default and click OK
  • On the trust center Windows click on Publish to GAL to publish you certificate unto Exchange Online. 
  • Once fully uploaded all certificates to GAL, you will receive message for completion. 
  • To confirm the certificate is published in AAD (Azure Active Directory), connect to Exchange Online using remote PowerShell and run following command. Check to make sure that the UserSMimeCertificate attribute is populated with the certificate information. If not, repeat same steps again.
Get-Mailbox <user> | FT *user*

In my scenario:

Get-Mailbox qureshi | FT *user*

On UserSMimeCertificate show random numbers, its means your Ca uploaded on Exchange online and GAL.

After the above steps, you can use Outlook, OWA, or EAS to send and receive S/MIME messages.

For OWA, make sure use IE9 or above to sent encrypted email, time of enable S/MIME from OWA setting you will be ask to install small tiny Add-on.

Outlook Web App:

  • OWA for S/MIME – Supported only on Windows Vista or greater with browser IE9 and above. Not supported on other browsers or on MOWA (Mobile for Outlook Web Access).
  • Third party certificates aren’t supported for OWA S/MIME; only Windows Certificate Authority issued certificates are supported.
  • To use Outlook Web Access with the S/MIME control, the client system on which the user is running Internet Explorer must have Outlook Web Access with the S/MIME control installed. S/MIME functionality in Outlook Web Access cannot be used on a system that does not have Outlook Web Access with the S/MIME control installed.

SMIME control in OWA requires .Net 4.5. All users accessing their mailboxes using OWA should install this on their machine. .Net 4.5 can be installed from Microsoft Downloads page.

Enable S/MIME settings from OWA options

More References:

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *