S/MIME o365 setup - Certs clarification?
Looking to section S/MIME only steps I find online is using on-prem AD. What if you do t have on-prem AD with ADSync? Do you upload SST from where and is it for each user?
David Johnson, CD
what is SST? s/mime has nothing to do with AD
ASKER
I was reading it here https://docs.microsoft.com/en-us/exchange/security-and-compliance/smime-exo/configure-smime-exo says to Export the root and intermediate certificates that are required to validate user S/MIME certificates from a trusted machine to a serialized certificate store (SST) file in Windows PowerShell .
I am not sure if that is a user certificate or not
I am not sure if that is a user certificate or not
are you using your own certificate authority or getting the personal certificates from an online provider?
Those certificates are from the Certificate Authority so that the CA will be trusted.
Those certificates are from the Certificate Authority so that the CA will be trusted.
ASKER
Don't have my own CA so am thinking I have to buy one Im just not sure if I buy one for each user and upload or not
every user in an s/mime conversation must have their own personal certificate AND the others public key.. you exchange keys by sending a signed but not encrypted message to the reciever and they reply back again signed but not encrypted email.
Outlook and other email software knows how to handle s/mime messages... These certificates will be stored in the users certificate personal store.
What you are doing using the document you specified is making s/mine messaging available for OWA and other web based or non fully compliant methods of receiving the mail and being able to read it. i.e. mobile users.
You can use s/mime without going through these steps but the mail program at each end must be rfc compliant in s/mime
I've been using s/mime for over 20 years using gmail/hotmail and exchange server without telling the email server anything about s/mime
Outlook and other email software knows how to handle s/mime messages... These certificates will be stored in the users certificate personal store.
What you are doing using the document you specified is making s/mine messaging available for OWA and other web based or non fully compliant methods of receiving the mail and being able to read it. i.e. mobile users.
You can use s/mime without going through these steps but the mail program at each end must be rfc compliant in s/mime
I've been using s/mime for over 20 years using gmail/hotmail and exchange server without telling the email server anything about s/mime
ASKER
ahh ok got it. so for user you buy a cert for them and they send a signed email to a recipient so they can instal their public key?
the on the senders phone do you have them instal the same private cert? and would recipients need to install the users public cert on their phone?
the on the senders phone do you have them instal the same private cert? and would recipients need to install the users public cert on their phone?
phones know nothing about how to process a s/mime message
this is why there's the requirement in exchange to setup the keys for the mailbox owners private and public keys and when receiving a signed message to put the public key into its store.. This way using web access it has the smarts to decrypt the message and display it to the user. This is done on the server not the users phone.
this is why there's the requirement in exchange to setup the keys for the mailbox owners private and public keys and when receiving a signed message to put the public key into its store.. This way using web access it has the smarts to decrypt the message and display it to the user. This is done on the server not the users phone.
s/mime is a problem and exchange is trying to provide a solution for the mobile world
This is one reason why office message encryption was invented.
The latest s/mime 4.0 standard https://www.rfc-editor.org/rfc/rfc8551.html#page-11
the sending of signed messages never really took off probably less than 1% of the internet users use s/mime it is used a lot in the financial and legal industries. In fact, until the browsers started to push for https certificates were rarely used in websites unless they were selling something and https was used for the transmission of financial information (credit cards etc) at one time browsers used to warn the user that they were not on an https page.
This is one reason why office message encryption was invented.
The latest s/mime 4.0 standard https://www.rfc-editor.org/rfc/rfc8551.html#page-11
the sending of signed messages never really took off probably less than 1% of the internet users use s/mime it is used a lot in the financial and legal industries. In fact, until the browsers started to push for https certificates were rarely used in websites unless they were selling something and https was used for the transmission of financial information (credit cards etc) at one time browsers used to warn the user that they were not on an https page.
ASKER
sure but on the phone if you have Outlook article says you can install cert on the phone too?
outlook is outlook it supports s/mime web based mail clients don't
ASKER
Got it so I get a cert for user they need the private and public key on their phone if using Outlook?
wherever they anticipate getting signed or encrypted email needs the certificate installed with the private key
ASKER
Ok thanks and if there’s a recipient who wants to decrypt the person email who is using S/MIME then recipient also needs to install a cert for their Outlook?
they would need the certificate of the recipient (private key) AND also the public key of the sender
ASKER
so if I do S/MIMe and I sending you email you need my public key and you need your own private key on your Outlook?
you will encrypt with your private key and my public key
I will decrypt using my private key and your public key
I will decrypt using my private key and your public key
ASKER
Oh man ok and only thing relevant to Exchange Online is if the user needs to email other people in Exchange or if you use webmail or if you have your own CA?
if you have your own certificate authority then you must distribute the public key of the certificate server and install it in the trusted root provider store on any machine you expect to communicate with.
we host the public keys in pke.domain.com there is absolutely no security problem distributing public keys this way.
OWA requires the certificates installed on the exchange server
we host the public keys in pke.domain.com there is absolutely no security problem distributing public keys this way.
OWA requires the certificates installed on the exchange server
ASKER
Got it but if using public CA like ssl you don’t have to mess with any Powershell or web server
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry so for webmail you need to get each user's private and public key and upload into Exchange online?
for users that login to owa the pfx (certificate with private key) yes for each user that wants to use s/mime This is only for users within your organization.
don't use webmail use outlook or the outlook app
don't use webmail use outlook or the outlook app
ASKER
David sorry to bother I got Windows' Outlook to Outlook to work.For Android Outlook I sent myself private cert and installed.
However if I try to send an e-mail to sign/encrypt from Outlook app it won't enable and says "Certificate invalid".
This isn't server Exchange online related right?
However if I try to send an e-mail to sign/encrypt from Outlook app it won't enable and says "Certificate invalid".
This isn't server Exchange online related right?
I got the cert for free from ActalisRoot, not sure if that's the problem.
I can open up new Question if that is preferred.
I can open up new Question if that is preferred.
ASKER
Think I sorted it out. In Outlook Trust Center > Email Security I changed the Hash to SHA1 and Encryption Algorithm to 3DES and re-published. Then after installing my exported Cert is shows as valid. Weird