Solved

Exchange Online S/MIME Encryption

Posted on 2016-09-19
6
61 Views
Last Modified: 2016-09-22
Hello,

I have a question regarding Exchange Online and S/MIME Encryption.

The Exchange Server and ActiveDirectory Infrastructure has moved completely to the Cloud. No onpermises Exchange Server and no on premises Domaincontroller.

In the past I was able to Import the S/MIME certificates manually over AD UC (Active Directory Users and Computers). But since there is no Domain controller locally I can not find a way to Import the certificates. Normally the users are using Outlook Client to publish their own S/MIME Certificate to the GAL. But sometimes the Outlook button "publish to GAL" is missing (espacially when multiple Outlook Accounts are configured, or when Users are working on Outlook for Mac). At this Point I imported these certificate with the help of AD UC.
How can I realize this now without any on premises Domaincontroller?

Thanks for your help
0
Comment
Question by:Thorsten_S
  • 3
  • 3
6 Comments
 
LVL 62

Expert Comment

by:btan
ID: 41804994
You need to set up virtual certificate collection. It is a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate. Pls see "Scenario 1: Exchange Online"
In this scenario, all the users are hosted on cloud and there is no on-premises Exchange organization.

Requirements

1. .SST File (Serialized store): The SST file contains all the root and intermediate certificates that are used when validating the S/MIME message in Office 365. The .SST file is created from certificate store explained below.
2. End user’s certificate for signing and encrypting the message issued from Certificate Authorities(CA) either Windows based CA or Third party CA.
https://blogs.technet.microsoft.com/exchange/2014/12/15/how-to-configure-smime-in-office-365/

MSDN on "Create and save an SST" and "Ensuring a certificate is valid" https://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx
0
 

Author Comment

by:Thorsten_S
ID: 41805135
Thanks for your reply.
I have seen this article before. I have uploaded the SST file with the Root and intermediate Certificate. But it is also mentioned here and described to publish the Users S/MIME certificate to the GAL with the Outlook button "Publish to GAL button"

Once the information is selected, you will notice the Default Setting is populated with Security Settings Name. Now you can click the Publish to GAL button. To publish the certificate to the GAL, click OK.

I have some Windows Outlook Clients and Outook Mac Clients where this button is not present (for Mac User this is never present and for some Windows Outlook Clients the button does not appear when there are multiple mailboxes connected in one Outlook Profile).

I do not think that I can ignore this step to publish the user´s S/MIME Certificat to GAL. In the past I had to Import those certificates manually over AD UC.

At the Remote Exchange Powershell I can check the S/MIME Certificate with:
get-mailbox usersmailaddress | fl usersmimecertificate

I would now expect that there is a Powershell CMDLET to Import the "usersmimecertificate" .
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41805751
The missing button to publish to the GAL seems to be a bug due to multiple MAPI account in user profile, see http://www.ehloworld.com/509

As for iOS to publish the smime cert, I am thinking of this, otherwise it is per mesage exchange of signed message manually.

https://www.experts-exchange.com/questions/28939259/How-to-bulk-import-all-our-users-S-MIME-certs-to-the-GAL.html
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Thorsten_S
ID: 41805935
Hi and thanks for your answer. This Bug is known since Outlook 2010 ... "Publish to GAL Button disappears when multiple Outlook accounts are configured"

I will try the PowerShell Solution and hope that this is working for Azure AD as well and not only for on premises Active Directory.

Thanks!
0
 

Author Comment

by:Thorsten_S
ID: 41811524
I have my solution now. I was able to publish the s/Mime Certificates with the following Exchange Remote Powershell cmdlet:

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Certificate1.cer"
 
$certarray = New-Object system.collections.arraylist
 
$certarray.insert(0,$cert1.getrawcertdata())

Set-Mailbox -Identity <EMAILADDRESS> -UserCertificate $certarray -UserSmimeCertificate $certarray
0
 
LVL 62

Expert Comment

by:btan
ID: 41811714
Thanks for sharing.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question