Using digital signatures for email with Microsoft Outlook for Windows

You can use S/MIME certificates, also called "S/MIME Certs" or "Personal Certificates", with most email clients to digitally sign and/or encrypt email messages. At Indiana University, S/MIME certificates are provided by the InCommon Certificate Service. For instructions on getting a certificate, see Getting an S/MIME certificate for digital email signatures at IU.

When you receive your certificate from InCommon, it will be encrypted in the PKCS 12 format (.p12 or .pfx), using the strong passphrase ("PIN") you created for it at the time of request. You will need this passphrase to install the certificate.

Also, for details about potential issues with various devices and applications when using digital signatures, be sure to refer to Known issues with digitally signed email at IU.

Note:
S/MIME certificates are not currently supported in OWA at IU. These instructions will be updated when these features are supported.

On this page:


Importing your certificate

To use an S/MIME certificate, you must first import it to your local computer:

  1. On the computer to which you're importing the certificate, locate your certificate file, right-click the file, and click Install PFX.
  2. When the Certificate Import Wizard starts, click Next.
  3. On the "File to Import" page, click Next.
  4. Enter the passphrase ("PIN") that you used to secure the private key.
  5. UITS recommends that you select Mark this key as exportable. This will allow you to back up or transport your keys at a later time.

  6. Click Next.
  7. On the "Certificate Store" page, leave the default option Automatically select the certificate store based on the type of certificate. Click Next.
  8. Click Finish. To complete importing your certificate, click OK.
Note:

If you have Symantec Encryption Desktop installed, you may not have the option to import the certificate by right-clicking the file and using the instructions above. Instead:

  1. Open Outlook. From the File tab, choose Options, then Trust Center, and then Trust Center Settings.
  2. Click Email Security, and then Import/Export.
  3. Click Browse.... Locate your certificate file and click Open.
  4. Enter the passphrase ("PIN") that you used to secure the private key, and click OK. Click OK to finish importing the certificate.

Using your certificate with Outlook 2016, 2013, and 2010

To configure Microsoft Outlook with an S/MIME certificate:

  1. Open Outlook. From the File tab, choose Options, then Trust Center, and then Trust Center Settings.
  2. Click Email Security.
  3. Click Settings....
  4. Under the "Security Settings Name" text box, enter a name; this will simply be a label for your security settings, e.g., "My S/MIME Settings (username@iu.edu)".
  5. Next to "Signing Certificate", click Choose.... Select your certificate and click OK.
  6. Next to "Encryption Certificate", click Choose.... Select your certificate and click OK twice.
    Note:
    Outlook will not let you import your S/MIME settings if you have not imported your security certificate (see Importing the certificate above).
  7. To digitally sign all your messages, check Add digital signature to outgoing messages.
    Note:
    If you do not wish for messages to be encrypted by default, make sure Encrypt contents and attachments for outgoing messages is not checked and Send clear text signed message when sending signed messages is checked.
  8. Click Publish to GAL to put your public certificate in the Global Address List. This will allow others at IU to access your public key so that they can send encrypted messages to you.
    Note:
    You may not see the "Publish to GAL" button if you have multiple Exchange accounts added to your Outlook profile. If the button is missing, create another Outlook profile containing the single Exchange account for which you're publishing the certificate, and then retry these instructions.
  9. Click OK twice.

You should now have the option to digitally sign (and encrypt) email messages:

  1. In Outlook, click New Email to compose a new message.
  2. Click the Options tab, and you will see:
    • Sign: This option digitally signs the message so others can be sure it came from you.
    • Encrypt: This option encrypts the message content and attachments.
      Important:
      Email clients not using S/MIME certificates will not be able to view encrypted email. Clients that cannot use S/MIME certificates include OWA through Chrome, Firefox, and Safari; recipients who use one of these clients will be unable to view encrypted email. However, all mail clients can view digitally signed email.

Using a group account certificate

To use an S/MIME certificate with a group account, install and enable the certificate as you would for a standard account.

Notes:
  • If the profile you are using in your email client is the group account, there should be no issues.
  • If the profile you are using in your email client is your personal account and you want to send email from the group account, in your email message, open the "From" field and enter the group account address. If your personal account has "send as" rights for the group account, there should be no issues. If you are unsure whether you have "send as" rights, contact your IT Pro.

Exporting your certificate

If you want to create a backup copy of your certificate or use it on another computer, you must first export the certificate. UITS recommends that you export certificates to removable media, such as a USB flash drive. To export your certificate, follow the appropriate steps below.

Exporting your certificate using Certificate Manager

  1. In the Start menu, enter certmgr.msc to open Certificate Manager. Enter administrator credentials if prompted.
  2. Right-click the certificate that you want to export, select All Tasks, and then click Export.
  3. In the Certificate Export Wizard, click Next.
  4. If you're going to use this certificate on another computer, select Yes, export the private key; otherwise, select No, do not export the private key. Click Next.
    Note:
    This option will appear only if you have access to the private key and it is marked as exportable.
  5. Select the format you want to use, and click Next.
    Note:
    The default format is .pfx with no check boxes selected, which should work for most users.
  6. Click Next.

Exporting your certificate using Internet Explorer

Note:
On January 12, 2016, Microsoft ended support for Internet Explorer versions prior to version 11. UITS strongly recommends that you upgrade to a new operating system if your current system does not support Internet Explorer 11.
  1. Open Internet Explorer. From the menu bar, click Tools; alternatively, click the gear icon at the top right.
  2. From the drop-down menu, select Internet options.
  3. In the "Internet Options" window, click the Content tab, and then select Certificates.
  4. In the "Certificates" window, click Export... to open the Certificate Export Wizard. Click Next.
  5. If you are going to use this certificate on another computer, select Yes, export the private key; otherwise, select No, do not export the private key. Click Next.
    Note:
    This option will appear only if you have access to the private key and it is marked as exportable.
  6. Select the format you want to use, and click Next.
    Note:
    The default format is .pfx with no check boxes selected, which should work for most users.
  7. Click Next.

This is document bcta in the Knowledge Base.
Last modified on 2017-10-10 07:30:56.

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.

Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.