Solved

Exchange Online S/MIME Encryption

Posted on 2016-09-19
6
38 Views
Last Modified: 2016-09-22
Hello,

I have a question regarding Exchange Online and S/MIME Encryption.

The Exchange Server and ActiveDirectory Infrastructure has moved completely to the Cloud. No onpermises Exchange Server and no on premises Domaincontroller.

In the past I was able to Import the S/MIME certificates manually over AD UC (Active Directory Users and Computers). But since there is no Domain controller locally I can not find a way to Import the certificates. Normally the users are using Outlook Client to publish their own S/MIME Certificate to the GAL. But sometimes the Outlook button "publish to GAL" is missing (espacially when multiple Outlook Accounts are configured, or when Users are working on Outlook for Mac). At this Point I imported these certificate with the help of AD UC.
How can I realize this now without any on premises Domaincontroller?

Thanks for your help
0
Comment
Question by:Thorsten_S
  • 3
  • 3
6 Comments
 
LVL 61

Expert Comment

by:btan
Comment Utility
You need to set up virtual certificate collection. It is a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate. Pls see "Scenario 1: Exchange Online"
In this scenario, all the users are hosted on cloud and there is no on-premises Exchange organization.

Requirements

1. .SST File (Serialized store): The SST file contains all the root and intermediate certificates that are used when validating the S/MIME message in Office 365. The .SST file is created from certificate store explained below.
2. End user’s certificate for signing and encrypting the message issued from Certificate Authorities(CA) either Windows based CA or Third party CA.
https://blogs.technet.microsoft.com/exchange/2014/12/15/how-to-configure-smime-in-office-365/

MSDN on "Create and save an SST" and "Ensuring a certificate is valid" https://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx
0
 

Author Comment

by:Thorsten_S
Comment Utility
Thanks for your reply.
I have seen this article before. I have uploaded the SST file with the Root and intermediate Certificate. But it is also mentioned here and described to publish the Users S/MIME certificate to the GAL with the Outlook button "Publish to GAL button"

Once the information is selected, you will notice the Default Setting is populated with Security Settings Name. Now you can click the Publish to GAL button. To publish the certificate to the GAL, click OK.

I have some Windows Outlook Clients and Outook Mac Clients where this button is not present (for Mac User this is never present and for some Windows Outlook Clients the button does not appear when there are multiple mailboxes connected in one Outlook Profile).

I do not think that I can ignore this step to publish the user´s S/MIME Certificat to GAL. In the past I had to Import those certificates manually over AD UC.

At the Remote Exchange Powershell I can check the S/MIME Certificate with:
get-mailbox usersmailaddress | fl usersmimecertificate

I would now expect that there is a Powershell CMDLET to Import the "usersmimecertificate" .
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
The missing button to publish to the GAL seems to be a bug due to multiple MAPI account in user profile, see http://www.ehloworld.com/509

As for iOS to publish the smime cert, I am thinking of this, otherwise it is per mesage exchange of signed message manually.

https://www.experts-exchange.com/questions/28939259/How-to-bulk-import-all-our-users-S-MIME-certs-to-the-GAL.html
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Thorsten_S
Comment Utility
Hi and thanks for your answer. This Bug is known since Outlook 2010 ... "Publish to GAL Button disappears when multiple Outlook accounts are configured"

I will try the PowerShell Solution and hope that this is working for Azure AD as well and not only for on premises Active Directory.

Thanks!
0
 

Author Comment

by:Thorsten_S
Comment Utility
I have my solution now. I was able to publish the s/Mime Certificates with the following Exchange Remote Powershell cmdlet:

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Certificate1.cer"
 
$certarray = New-Object system.collections.arraylist
 
$certarray.insert(0,$cert1.getrawcertdata())

Set-Mailbox -Identity <EMAILADDRESS> -UserCertificate $certarray -UserSmimeCertificate $certarray
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Thanks for sharing.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now