Use digital signatures for email with Microsoft Outlook for Windows

On this page:

Before you begin

You can use S/MIME certificates, also called "S/MIME Certs" or "Personal Certificates", with most email clients to digitally sign and/or encrypt email messages. At Indiana University, S/MIME certificates are provided by the InCommon Certificate Service. For instructions on getting a certificate, see Get an S/MIME certificate for digital email signatures at IU.

When you receive your certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

Also, for details about potential issues with various devices and applications when using digital signatures, be sure to refer to Known issues with digitally signed email at IU.

View a video about using digital signatures in Microsoft Outlook for Windows.

S/MIME certificates are not currently supported in OWA at IU. These instructions will be updated when these features are supported.

Import your certificate

To use an S/MIME certificate, you must first import it to your local computer. There are two possible ways to do this.

Standard instructions

  1. On the computer to which you're importing the certificate, locate your certificate file, right-click the file, and click Install PFX.
  2. When the Certificate Import Wizard starts, click Next.
  3. On the "File to Import" page, click Next.
  4. Enter the passphrase ("PIN") that you used to secure the private key.

    UITS recommends that you select Mark this key as exportable. This will allow you to back up or transport your keys at a later time.

  5. Click Next.
  6. On the "Certificate Store" page, leave the default option Automatically select the certificate store based on the type of certificate. Click Next.
  7. Click Finish. To complete importing your certificate, click OK.

Alternate method

You may not have the option to import the certificate by right-clicking the file and using the instructions above if you have Symantec Encryption Desktop installed, or if you are using Outlook as a standalone app (that is, not as part of a virtual desktop) in IUanyWare. Instead:

  1. Open Outlook. From the File tab, choose Options, then Trust Center, and then Trust Center Settings.
  2. Click Email Security, and then Import/Export.
  3. Click Browse.... Locate your certificate file and click Open.
  4. Enter the passphrase ("PIN") that you used to secure the private key, and click OK. Click OK to finish importing the certificate.

Use your certificate with Outlook

To configure Microsoft Outlook with an S/MIME certificate:

  1. Open Outlook. From the File tab, choose Options, then Trust Center, and then Trust Center Settings....
  2. Click Email Security.
  3. Click Settings....
  4. Under the "Security Settings Name" text box, enter a name; this will simply be a label for your security settings, for example, "My S/MIME Settings (".
  5. Next to "Signing Certificate", click Choose.... Select your certificate and click OK.
  6. Next to "Encryption Certificate", click Choose.... Select your certificate and click OK twice.
    Outlook will not let you import your S/MIME settings if you have not imported your security certificate (see Import the certificate above).
  7. To digitally sign all your messages, check Add digital signature to outgoing messages. To ensure that signed messages will go through to all email systems, make sure that Send clear text signed message when sending signed messages is also checked.
    If you do not wish for messages to be encrypted by default, make sure Encrypt contents and attachments for outgoing messages is not checked.
  8. Click Publish to GAL to put your public certificate in the Global Address List. This will allow others at IU to access your public key so that they can send encrypted messages to you.
    You may not see the "Publish to GAL" button if you have multiple Exchange accounts added to your Outlook profile. If the button is missing, create another Outlook profile containing the single Exchange account for which you're publishing the certificate, and then retry these instructions.
  9. Click OK twice.

You should now have the option to digitally sign (and encrypt) email messages:

  1. In Outlook, click New Email to compose a new message.
  2. Click the Options tab, and you will see:
    • Sign: This option digitally signs the message so others can be sure it came from you.
    • Encrypt: This option encrypts the message content and attachments.
      Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Use a group account certificate

To use an S/MIME certificate with a group account, install and enable the certificate as you would for a standard account.

  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

Export your certificate

If you want to create a backup copy of your certificate or use it on another computer, you must first export the certificate. UITS recommends that you export certificates to removable media, such as a USB flash drive.

  1. In the Start menu, enter certmgr.msc to open Certificate Manager. Enter administrator credentials if prompted.
  2. Right-click the certificate that you want to export, select All Tasks, and then click Export.
  3. In the Certificate Export Wizard, click Next.
  4. If you're going to use this certificate on another computer, select Yes, export the private key; otherwise, select No, do not export the private key. Click Next.
    This option will appear only if you have access to the private key and it is marked as exportable.
  5. Select the format you want to use, and click Next.
    The default format is .pfx with no check boxes selected, which should work for most users.
  6. Click Next.

This is document bcta in the Knowledge Base.
Last modified on 2021-05-05 14:48:25.