If you followed my guide to create self-signed S/MIME certificates, then you will have the necessary files to begin digitally signing and receiving encrypted e-mail. As long as the e-mail client supports S/MIME, which Outlook does support, then you can create and use your own certificates for any e-mail address including custom domains, Gmail, iCloud, or even AOL. This guide describes the process for using self-signed S/MIME certificates with Microsoft Outlook 2019 found in the Microsoft Office Professional Plus 2019 suite running on Windows 10.
Part 1 – Trusting the Self-Signed Certificate Authority
Since we’re using self-signed certificates, Windows and Outlook will not automatically recognize your personal certificate authority. If a certificate authority is not trusted, then any certificates issued by that certificate authority are not trusted and they are considered invalid by Outlook. If you try to send a digitally signed e-mail using your personal certificate before the certificate authority is trusted, then Outlook displays the message “Microsoft Outlook cannot sign or encrypt this message because your certificate is not valid.”
Step 1 – Install Certificate
Find the certificate authority certificate. If you followed my guide, the file is named ca.crt. Double-click on the file in File Explorer to open it. The Certificate Information screen is displayed. Confirm that the Issue to, Issued by, and Valid from/to dates match the expected values.
Click the Install Certificate… button.
Step 2 – Select Store Location
The Certificate Import Wizard screen is displayed. Choose Current User and click the Next button.
Step 3 – Select Certificate Store
The Certificate Store screen is displayed. Select Place all certificates in the following store and click the Browse… button.
The Select Certificate Store screen is displayed. Select Trusted Root Certification Authorities and click the OK button.
Confirm the details on the Select Certificate Store screen and click the Next button.
Step 4 – Complete the Certificate Import Wizard
The Completing the Certificate Import Wizard screen is displayed. Confirm the displayed details and click the Finish button.
Step 5 – Security Warning
A Security Warning screen is displayed requesting confirmation that the certificate should be installed. Confirm the displayed details and click the Yes button.
The Import Successful dialog box is displayed.
Close the Certificate Information screen by clicking the OK button.
Step 6 – Confirm Trusted Certification Authorities in CertMgr
From the Windows start menu, run certmgr (Manager user certificates). Under Current User, expand Trusted Root Certification Authorities and click Certificates. Review the list of certificates to confirm your certificate authority is in the store. Close the application.
Part 2 – Installing the Self-Signed S/MIME Certificate in Outlook
With the certificate authority certificate in the Windows trust store, we can now add our self-signed S/MIME certificate to Outlook.
Step 1 – Open Trust Center
Open Outlook and select File and then Options. The Outlook Options screen is displayed. Select Trust Center.
Step 2 – Open Email Security
Click the Trust Center Settings… button. The Trust Center screen is displayed. Select Email Security.
Step 3 – Import Self-Signed S/MIME Certificate
Click the Import/Export… button. The Import/Export Digital ID screen is displayed. In the Import existing Digital ID from a file section, click the Browse… button. Find the relevant PKCS12 file. If you followed my guide, the file is named smime_test_user.p12. Enter the password for the package.
Click the OK button.
Step 4 – Import Certificate
The Importing a new private exchange key dialog box is displayed. Click the OK button.
Step 5 – Change Security Settings
Returning to the Trust Center screen, click the Settings… button. The Change Security Settings screen is displayed. Confirm the displayed information is correct. Change the Security Settings Name value to a unique name for the certificate.
If the Signing Certificate or Encryption Certificate are blank, then click either Choose… button. The Windows Security Confirm Certificate dialog box is displayed. Click the OK button.
Confirm the information on the Change Security Settings dialog box are correct and click the OK button.
Step 6 – Confirm Default Settings
On the Trust Center Email Security settings screen, confirm the Default Setting references the security settings name created in the prior step. Click the OK button to close the Trust Center screen. On the Outlook Options screen, click the OK button to close the screen.
Part 3 – Sending a Digitally Signed E-mail
Finally, we can send a digitally signed e-mail in Outlook using a self-signed S/MIME certificate issued by a personal certificate authority. As a reminder, this does not allow you to send encrypted e-mails since public-key cryptography requires the sender to have the public key for the recipient (we only have the sender keys). However, this does allow you to send a digitally signed e-mail to a recipient. Since the digital signature contains your public key, the recipient can than respond with an encrypted e-mail after establishing trust in their e-mail client.
Step 1 – Draft and Sign E-mail
Create a new e-mail using the e-mail address associated with the S/MIME certificate. From the Options ribbon, click Sign.
Step 2 – Send E-mail
Complete the e-mail and click the Send button. A Windows Security dialog box is displayed requesting access to the private key. Click the Allow button.
Result
When the e-mail is received, the recipient’s e-mail client displays an indicator that the e-mail is digitally signed. Outlook’s indicator for digitally signed e-mail is a small ribbon. The recipient may then need to trust the certificate (public key) contained in your digital signature in order to respond with an encrypted message.
If you send a digitally signed e-mail from the e-mail address back to itself, you can respond to that e-mail with an encrypted message. Open the e-mail and click Reply. From the Options ribbon, click Encrypt. Add a response to the message body and click the Send button. When the response is received, Outlook displays a lock icon to indicate that the e-mail is encrypted. Outlook automatically handles the decryption when the e-mail is opened.
Part 4 – Establishing Recipient Trust
When a recipient receives a digitally signed e-mail where the sender used a self-signed S/MIME certificate and a personal certificate authority, the message is flagged by Outlook with the message “There are problems with the signature. Click the signature button for details.” The signature button is the yellow triangle with an exclamation point. As the sender, we added trust in Part 1 of this guide to the sending machine, however, the recipient machine does not recognize the certificate authority so the digital signature certificate is not trusted and flagged as invalid.
Step 1 – Invalid Digital Signature
Click the yellow triangle with an exclamation point icon. The Digital Signature: Invalid dialog box is displayed.
Step 2 – Message Security Properties (Invalid)
Click the Details… button. The Message Security Properties screen is displayed. There are many intimidating red circles with exclamation points.
Step 3 – Trust Certificate Authority
If available, click the Trust Certificate Authority… button. The Trust Certificate Authority screen is displayed. Click the Trust button. The Trust Certificate Authority screen closes. If the button is not active, proceed to the next step.
Step 4 – View Certificate and Edit Trust
Returning to the Message Security Properties screen, click the Edit Trust… button. The View Certificate screen is displayed. In the Edit Trust section, select Explicitly Trust this Certificate. Click the OK button.
Step 5 – Message Security Properties (Valid)
Returning to the Message Security Properties screen again, we find all the red circles have been replaced with green check marks. Click the Close button.
Step 6 – Valid and Trusted Digital Signature
The Digital Signature: Invalid dialog box is now the Digital Signature: Valid dialog box. Click the Close button. The digital signature is now trusted and flagged as valid.
I am unable to trust either/or the CA and/or the Signer. Following these steps I do see the CA cert in the users trusted root store and the “Edit Trust” button does show the the cert is set to “explicitly trust this certificate. However, the recipient email signature still states “the digital signature on this message is invalid or not trusted.
I am testing between 2-emails on different Office365 tenants. Both email domains are smart-hosted by MimeCast. Both clients are Outlook, one v2016 the other M365.
Any help?
I can only guess that the certificates do not have the correct usages and extensions.
S/MIME signing : YesS/MIME encryption : YesX509v3 Key Usage : Digital Signature, Non Repudiation, Key EnciphermentX509v3 Extended Key Usage : E-mail ProtectionTrusted Uses : E-mail Protection