ARCHIVED: About email encryption using S/MIME client certificates at IU

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

To view all the content available to you here, use the green Log in button at the top of this page to log into the Knowledge Base.


Due to enhanced security features in Exchange Online, digital signatures are no longer required at IU; however, digital signatures will continue to work as expected if you wish to continue using them.

At Indiana University, S/MIME client certificates are most commonly used to digitally sign email messages; see ARCHIVED: Use an S/MIME client certificate to secure your email messages with a digital signature. Client certificates also can be used to send and receive encrypted email messages within the IU Exchange system, as described below. To encrypt email sent to recipients outside the IU Exchange system, see About Office Message Encryption (OME).

Email clients not using S/MIME client certificates will not be able to view encrypted email. Clients that cannot use S/MIME client certificates include Outlook on the web through any browser except Edge on Windows; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Each S/MIME client certificate includes two items, known as a public key and a private key. To send encrypted mail, you need your private key and the recipient's public key. To read encrypted mail, you need your private key and the sender's public key.

If you want to allow other IU Exchange users to send you encrypted email, you can publish your client certificate to the Global Address List (GAL). To do so, you need to use Outlook for Windows (available through IUanyWare if you do not have it installed). Also, when your client certificate expires, you'll need to republish the new one.

The following instructions assume that you have already received and installed (or renewed and installed) your client certificate. If not, follow the appropriate instructions linked from ARCHIVED: Use an S/MIME client certificate to secure your email messages with a digital signature.

  1. From kb:boiler src="name-outlook"/>'s File tab, click Options. Select Trust Center, click Trust Center Settings..., and then click E-mail Security.
  2. To publish your client certificate to the GAL, click Publish to GAL....
    You may not see the "Publish to GAL" button if you have multiple Exchange accounts added to your Outlook profile. If the button is missing, create another Outlook profile containing the single Exchange account for which you're publishing the certificate, and then retry these instructions.
  3. You will see a dialog box that says "Microsoft Outlook is about to publish your default security certificates to the Global Address List"; click OK.

You will see a dialog box that confirms "Your certificates were published successfully".

You should always keep backups of your client certificates. If you lose your certificate, you will not be able to read mail that was encrypted with that certificate. To read messages encrypted with an older certificate, you need the older certificate.

This is document alhi in the Knowledge Base.
Last modified on 2023-05-18 10:28:35.