?
Solved

Exchange Online S/MIME Encryption

Posted on 2016-09-19
6
Medium Priority
?
231 Views
Last Modified: 2016-09-22
Hello,

I have a question regarding Exchange Online and S/MIME Encryption.

The Exchange Server and ActiveDirectory Infrastructure has moved completely to the Cloud. No onpermises Exchange Server and no on premises Domaincontroller.

In the past I was able to Import the S/MIME certificates manually over AD UC (Active Directory Users and Computers). But since there is no Domain controller locally I can not find a way to Import the certificates. Normally the users are using Outlook Client to publish their own S/MIME Certificate to the GAL. But sometimes the Outlook button "publish to GAL" is missing (espacially when multiple Outlook Accounts are configured, or when Users are working on Outlook for Mac). At this Point I imported these certificate with the help of AD UC.
How can I realize this now without any on premises Domaincontroller?

Thanks for your help
0
Comment
Question by:Thorsten_S
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 64

Expert Comment

by:btan
ID: 41804994
You need to set up virtual certificate collection. It is a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate. Pls see "Scenario 1: Exchange Online"
In this scenario, all the users are hosted on cloud and there is no on-premises Exchange organization.

Requirements

1. .SST File (Serialized store): The SST file contains all the root and intermediate certificates that are used when validating the S/MIME message in Office 365. The .SST file is created from certificate store explained below.
2. End user’s certificate for signing and encrypting the message issued from Certificate Authorities(CA) either Windows based CA or Third party CA.
https://blogs.technet.microsoft.com/exchange/2014/12/15/how-to-configure-smime-in-office-365/

MSDN on "Create and save an SST" and "Ensuring a certificate is valid" https://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx
0
 

Author Comment

by:Thorsten_S
ID: 41805135
Thanks for your reply.
I have seen this article before. I have uploaded the SST file with the Root and intermediate Certificate. But it is also mentioned here and described to publish the Users S/MIME certificate to the GAL with the Outlook button "Publish to GAL button"

Once the information is selected, you will notice the Default Setting is populated with Security Settings Name. Now you can click the Publish to GAL button. To publish the certificate to the GAL, click OK.

I have some Windows Outlook Clients and Outook Mac Clients where this button is not present (for Mac User this is never present and for some Windows Outlook Clients the button does not appear when there are multiple mailboxes connected in one Outlook Profile).

I do not think that I can ignore this step to publish the user´s S/MIME Certificat to GAL. In the past I had to Import those certificates manually over AD UC.

At the Remote Exchange Powershell I can check the S/MIME Certificate with:
get-mailbox usersmailaddress | fl usersmimecertificate

I would now expect that there is a Powershell CMDLET to Import the "usersmimecertificate" .
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41805751
The missing button to publish to the GAL seems to be a bug due to multiple MAPI account in user profile, see http://www.ehloworld.com/509

As for iOS to publish the smime cert, I am thinking of this, otherwise it is per mesage exchange of signed message manually.

https://www.experts-exchange.com/questions/28939259/How-to-bulk-import-all-our-users-S-MIME-certs-to-the-GAL.html
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:Thorsten_S
ID: 41805935
Hi and thanks for your answer. This Bug is known since Outlook 2010 ... "Publish to GAL Button disappears when multiple Outlook accounts are configured"

I will try the PowerShell Solution and hope that this is working for Azure AD as well and not only for on premises Active Directory.

Thanks!
0
 

Author Comment

by:Thorsten_S
ID: 41811524
I have my solution now. I was able to publish the s/Mime Certificates with the following Exchange Remote Powershell cmdlet:

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Certificate1.cer"
 
$certarray = New-Object system.collections.arraylist
 
$certarray.insert(0,$cert1.getrawcertdata())

Set-Mailbox -Identity <EMAILADDRESS> -UserCertificate $certarray -UserSmimeCertificate $certarray
0
 
LVL 64

Expert Comment

by:btan
ID: 41811714
Thanks for sharing.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question