About email encryption using S/MIME at IU

At Indiana University, S/MIME certificates are most commonly used to digitally sign email messages; see Secure messages with a digital signature (using S/MIME) at IU. You can use the same certificate to send and receive encrypted email messages within the IU Exchange system, as described below. For encryption of outbound email, see About the Cisco Registered Envelope Service (CRES).

Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Each S/MIME certificate includes two items, known as a public key and a private key. To send encrypted mail, you need your private key and the recipient's public key. To read encrypted mail, you need your private key and the sender's public key.

If you want to allow other IU Exchange users at Indiana University to send you encrypted email, the easiest way to share public keys with other Exchange users is to publish your certificate to the Global Address List (GAL). (Only IU Exchange users may do this.) To do so, you need to use Outlook for Windows (available through IUanyWare if you do not have it installed). Also, when your certificate expires, you'll need to republish the new one.

The following instructions assume that you have already received and installed (or renewed and installed) your digital signature. If not, follow the appropriate instructions linked from Secure messages with a digital signature (using S/MIME) at IU.

  1. In Outlook 2016, 2013, and 2010, from the File tab, click Options. Select Trust Center, click Trust Center Settings..., and then click E-mail Security.
  2. To put your public certificate in the Global Address List, click Publish to GAL....
    You may not see the "Publish to GAL" button if you have multiple Exchange accounts added to your Outlook profile. If the button is missing, create another Outlook profile containing the single Exchange account for which you're publishing the certificate, and then retry these instructions.
  3. You will see a dialog box that says "Microsoft Outlook is about to publish your default security certificates to the Global Address List"; click OK.

You will see a dialog box that confirms "Your certificates were published successfully".

You should always keep backups of your certificates. If you lose your certificate, you will not be able to read mail that was encrypted with that certificate. To read messages encrypted with an older certificate, you need the older certificate.

This is document alhi in the Knowledge Base.
Last modified on 2018-04-03 16:30:58.

Contact us

For help or to comment, email the UITS Support Center.