Solved

Exchange Online S/MIME Encryption

Posted on 2016-09-19
6
89 Views
Last Modified: 2016-09-22
Hello,

I have a question regarding Exchange Online and S/MIME Encryption.

The Exchange Server and ActiveDirectory Infrastructure has moved completely to the Cloud. No onpermises Exchange Server and no on premises Domaincontroller.

In the past I was able to Import the S/MIME certificates manually over AD UC (Active Directory Users and Computers). But since there is no Domain controller locally I can not find a way to Import the certificates. Normally the users are using Outlook Client to publish their own S/MIME Certificate to the GAL. But sometimes the Outlook button "publish to GAL" is missing (espacially when multiple Outlook Accounts are configured, or when Users are working on Outlook for Mac). At this Point I imported these certificate with the help of AD UC.
How can I realize this now without any on premises Domaincontroller?

Thanks for your help
0
Comment
Question by:Thorsten_S
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:btan
ID: 41804994
You need to set up virtual certificate collection. It is a certificate store file type with an SST filename extension. The SST file contains all the root and intermediate certificates that are used when validating an S/MIME certificate. Pls see "Scenario 1: Exchange Online"
In this scenario, all the users are hosted on cloud and there is no on-premises Exchange organization.

Requirements

1. .SST File (Serialized store): The SST file contains all the root and intermediate certificates that are used when validating the S/MIME message in Office 365. The .SST file is created from certificate store explained below.
2. End user’s certificate for signing and encrypting the message issued from Certificate Authorities(CA) either Windows based CA or Third party CA.
https://blogs.technet.microsoft.com/exchange/2014/12/15/how-to-configure-smime-in-office-365/

MSDN on "Create and save an SST" and "Ensuring a certificate is valid" https://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx
0
 

Author Comment

by:Thorsten_S
ID: 41805135
Thanks for your reply.
I have seen this article before. I have uploaded the SST file with the Root and intermediate Certificate. But it is also mentioned here and described to publish the Users S/MIME certificate to the GAL with the Outlook button "Publish to GAL button"

Once the information is selected, you will notice the Default Setting is populated with Security Settings Name. Now you can click the Publish to GAL button. To publish the certificate to the GAL, click OK.

I have some Windows Outlook Clients and Outook Mac Clients where this button is not present (for Mac User this is never present and for some Windows Outlook Clients the button does not appear when there are multiple mailboxes connected in one Outlook Profile).

I do not think that I can ignore this step to publish the user´s S/MIME Certificat to GAL. In the past I had to Import those certificates manually over AD UC.

At the Remote Exchange Powershell I can check the S/MIME Certificate with:
get-mailbox usersmailaddress | fl usersmimecertificate

I would now expect that there is a Powershell CMDLET to Import the "usersmimecertificate" .
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41805751
The missing button to publish to the GAL seems to be a bug due to multiple MAPI account in user profile, see http://www.ehloworld.com/509

As for iOS to publish the smime cert, I am thinking of this, otherwise it is per mesage exchange of signed message manually.

https://www.experts-exchange.com/questions/28939259/How-to-bulk-import-all-our-users-S-MIME-certs-to-the-GAL.html
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:Thorsten_S
ID: 41805935
Hi and thanks for your answer. This Bug is known since Outlook 2010 ... "Publish to GAL Button disappears when multiple Outlook accounts are configured"

I will try the PowerShell Solution and hope that this is working for Azure AD as well and not only for on premises Active Directory.

Thanks!
0
 

Author Comment

by:Thorsten_S
ID: 41811524
I have my solution now. I was able to publish the s/Mime Certificates with the following Exchange Remote Powershell cmdlet:

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate "C:\Certs\Certificate1.cer"
 
$certarray = New-Object system.collections.arraylist
 
$certarray.insert(0,$cert1.getrawcertdata())

Set-Mailbox -Identity <EMAILADDRESS> -UserCertificate $certarray -UserSmimeCertificate $certarray
0
 
LVL 63

Expert Comment

by:btan
ID: 41811714
Thanks for sharing.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Read this checklist to learn more about the 15 things you should never include in an email signature.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question