Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange Online S/MIME Encryption

Posted on 2016-09-19
6
Medium Priority
?
308 Views
Last Modified: 2016-09-22
Hello,

I have a question regarding Exchange Online and S/MIME Encryption.

The Exchange Server and ActiveDirectory Infrastructure has moved completely to the Cloud. No onpermises Exchange Server and no on premises Domaincontroller.

In the past I was able to Import the S/MIME certificates manually over AD UC (Active Directory Users and Computers). But since there is no Domain controller locally I can not find a way to Import the certificates. Normally the users are using Outlook Client to publish their own S/MIME Certificate to the GAL. But sometimes the Outlook button "publish to GAL" is missing (espacially when multiple Outlook Accounts are configured, or when Users are working on Outlook for Mac). At this Point I imported these certificate with the help of AD UC.
How can I realize this now without any on premises Domaincontroller?

Thanks for your help
0
Comment
Question by:Thorsten_S
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 65

Expert Comment

by:btan
ID: 41804994
You need to set up virtual certificate collection. It is a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate. Pls see "Scenario 1: Exchange Online"
In this scenario, all the users are hosted on cloud and there is no on-premises Exchange organization.

Requirements

1. .SST File (Serialized store): The SST file contains all the root and intermediate certificates that are used when validating the S/MIME message in Office 365. The .SST file is created from certificate store explained below.
2. End user’s certificate for signing and encrypting the message issued from Certificate Authorities(CA) either Windows based CA or Third party CA.
https://blogs.technet.microsoft.com/exchange/2014/12/15/how-to-configure-smime-in-office-365/

MSDN on "Create and save an SST" and "Ensuring a certificate is valid" https://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx
0
 

Author Comment

by:Thorsten_S
ID: 41805135
Thanks for your reply.
I have seen this article before. I have uploaded the SST file with the Root and intermediate Certificate. But it is also mentioned here and described to publish the Users S/MIME certificate to the GAL with the Outlook button "Publish to GAL button"

Once the information is selected, you will notice the Default Setting is populated with Security Settings Name. Now you can click the Publish to GAL button. To publish the certificate to the GAL, click OK.

I have some Windows Outlook Clients and Outook Mac Clients where this button is not present (for Mac User this is never present and for some Windows Outlook Clients the button does not appear when there are multiple mailboxes connected in one Outlook Profile).

I do not think that I can ignore this step to publish the user´s S/MIME Certificat to GAL. In the past I had to Import those certificates manually over AD UC.

At the Remote Exchange Powershell I can check the S/MIME Certificate with:
get-mailbox usersmailaddress | fl usersmimecertificate

I would now expect that there is a Powershell CMDLET to Import the "usersmimecertificate" .
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41805751
The missing button to publish to the GAL seems to be a bug due to multiple MAPI account in user profile, see http://www.ehloworld.com/509

As for iOS to publish the smime cert, I am thinking of this, otherwise it is per mesage exchange of signed message manually.

https://www.experts-exchange.com/questions/28939259/How-to-bulk-import-all-our-users-S-MIME-certs-to-the-GAL.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Thorsten_S
ID: 41805935
Hi and thanks for your answer. This Bug is known since Outlook 2010 ... "Publish to GAL Button disappears when multiple Outlook accounts are configured"

I will try the PowerShell Solution and hope that this is working for Azure AD as well and not only for on premises Active Directory.

Thanks!
0
 

Author Comment

by:Thorsten_S
ID: 41811524
I have my solution now. I was able to publish the s/Mime Certificates with the following Exchange Remote Powershell cmdlet:

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Certificate1.cer"
 
$certarray = New-Object system.collections.arraylist
 
$certarray.insert(0,$cert1.getrawcertdata())

Set-Mailbox -Identity <EMAILADDRESS> -UserCertificate $certarray -UserSmimeCertificate $certarray
0
 
LVL 65

Expert Comment

by:btan
ID: 41811714
Thanks for sharing.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question